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This  report  describes  a limited  system  safety  analysis  carried  out  on  a com- 
mercial vessel.  The  purpose  of  conducting  the  study  was  to  (1)  develop  a 
set  of  Inspection  criteria  derived  from  a system  safety  study,  (2)  demon- 
strate the  application  of  system  safety  analysis  methodology  to  a comnerclal 
vessel,  and  (3)  Identify/define  needed  modifications  to  VIIS  as  currently 
being  developed  for  the  Coast  Guard.  The  safety  analysis  was  limited  to  a 
study  of  flre/exploslon  hazards  in  the  vessel's  cargo/cargo  transfer  system. 
The  vessel  studied  was  a 38,000  ton  special  products  carrier  hauling  gas- 
oline, other  petrochemicals,  and  Industrial  chemicals  in  a cargo  system  con- 
sisting of  27  tanks  and  21  pumps. 


Three  types  of  analyses  were  conducted:  preliminary  hazar'ff.  logic  diagram, 
and  hazard  mode  and  effect.  Findings  were  based  on  st’  documentation 

and  plans  for  the  vessel  plus  two  on-board  inspection.  f which  In- 

cluded a six-day  voyage.  The  commercial  vessel  environi  proved  entirely 
amenable  to  system  safety  analysis  procedures.  Although  no  unexpected  or 
unusual  hazards  were  Identified,  it  was  found  feasible  and  reasonable  to 
construct  a safety  critical  profile  for  the  vessel.  The  Impact  on  the 
design  of  VIIS  was  Judged  to  be  minor  and  well  within  planned  capabilities. 
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SYSTEM  SAFETY  ANALYSIS  OF 
A COMMERCIAL  VESSEL 

by 

E.  S.  Cheaney  and  A.  J.  Coyle 

1.0  INTRODUCTION 

As  an  integral  part  of  its  development  of  the  Vessel  Inspection 
Information  System  (VIIS) , Battelle's  Columbus  Labtirator ies  (BCD  undertook 
tlie  conduct  of  a limited  system  safety  analysis  of  a commercial  vessel.  The 
primary  purpose  of  this  task  was  to  find  out  if  the  use  of  system  safety 
procedures  as  a part  of  the  Coast  Guard's  vessel  safety  program  would  in  any 
w.iy  affect  the  design  of  VIIS  so  that  compatible  features  could  be  incorpo- 
rated in  the  design  if  appropriate.  Secondary  purposes  were  to  explore  the 
potential  of  system  safety  procedures  for  safety  assurance  in  commcicial 
vessels  and  to  provide  an  example  study  for  future  use  in  the  Coast  Guard's 
vessel  safety  program. 

Accordingly,  a safely  study  of  the  cargo  and  cargo  transfer  system 
of  a special  products  tanker  was  performed.  The  study  resulted  in  the  con- 
struction of  a safety  critical  profile  for  the  system  and  formulation  of  a 
set  of  criteria  and  guidelines  for  the  conduct  of  such  studies  aboard  com- 
mercial vessels.  This  report  covers  the  conduct  of  the  study.  Di snis.sions  of 
the  study's  background,  the  procedures  used,  and  results  achieved  follow 

immediately.  The  conduct  of  the  safety  analysis  is  described  in  the  subse- 
quent major  section.  Pertinent  information,  including  a description  of  the 
V'ssel  utilized  in  the  study  is  included  in  a series  of  appendices. 

1 1 BACKGROUND 


The  VIIS  program  is  aimed  at  developing  a modem,  computerized  in 
formation  system  designed  to  enhance  the  effectiveness  and  efficiency  with 
which  the  Coast  Guard  perfoirms  the  vessel  inspection  function.  The  system 
ii  intended  to  make  a full  array  of  inspection  and  safety  information  about 
a specific  vessel  immediately  available  to  the  inspector  in  whatever  port 
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i.he  vessel  may  have  an  inspection  of  any  kind  scheduled  or  needed.  The  in- 

'ormation  will  cover  the  full  materiel  history  of  the  vessel  (including 

records  of  all  previous  inspections) , particulars  of  its  design  and  construc- 

t ion,  service  history,  and  special  information  on  safety  features  and 

priority  inspection  items--aspects  of  the  vessel  that  should  be  given  special 

attention  by  the  inspector  to  ensure  safe  conditions.  The  latter  item  of 

*v 

information  about  a vessel  is  termed  its  "safety  critical  profile"  (SCP)'. 

The  background  of  this  task  is  rooted  in  a premise  about  system 
■ afety  vis-a-vis  the  V1I*S  design  which  led  to  the  original  decisi.ni  to  make 
> he  task  a part  of  tlie  VIIS  development  program.  This  premise  is  that  such 
system  safety  techniques  as  hazards  analysis  and  risk  management  cianprise  a 
potentially  superior  way  of  identifying  and  analyzing  hazards  in  commercial 
''essels  in  advance  of  the  occurrence  of  accidents  and  that  they  will,  there- 
lore,  be  incorporated  within  the  foreseeable  future  as  routine  procedures  in 
t onnection  with  plan  review  and  certification  of  new  vessels.  The  results 
of  such  activities  would,  of  course,  constitute  an  important  set  of  basic 
information  about  a new  vessel  and  should  influence  decisions  about  inspec- 
tion priorities,  methods,  and  procedures  connected  with  the  vessel.  Obvious- 
ly, the  results  of  such  analyses  would  become  part  of  VIIS'  information  con- 
tent and  the  system  must  be  designed  to  have  the  capability  for  receiving, 
manipulating,  and  retrieving,  in  useful  form,  the  type  of  information  about 
a vessel  such  studies  would  produce.  To  do  this,  the  example  study  was 
planned  to  determine  the  type  and  best  use  of  such  information.  At  the  same 
I ime,  the  example  study  addressed  the  broader  issues  of  how  such  analyses 
could  best  be  performed  and  the  relative  effectiveness  of  the  techniques 
involved  in  defining  the  safety--or  lack  of  it--of  a vessel.  The  task  work 
I'lan  was  developed  with  both  the  immediate  question--how  to  design  VIIS--and 
these  larger  issues  in  mind. 

The  concept  of  establishing  such  profiles  for  specific  vessels  or  vessel 
types  is  new.  It  was  generated  in  connection  with  BCL's  initial  analysis 
of  the  kinds  of  information  needed  by  Coast  Guard  Inspectors  to  enhance 
their  effectiveness  and  efficiency. 
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1.2  TASK  OBJECTIVES 

Hie  task  was  conducted  to  serve  the  following  three  interrelated 
objectives : 

(1)  Develop  a set  of  inspection  criteria  for  the  experi- 
mental vessel  (an  SCP)  derived  from  conducting  a 
system  safety  study.  In  meeting  this  objective,  the 
task  was  Intended  to  also  accomplish  these  ends. 

• Generate  useful  inspection  data  about  the  study 
vessel/class 

• Measure  the  power  of  the  system  safety  method- 
ologies for  developing  inspection  criteria  with 
respect  to  new  vessels  or  vessel  features 

• Establish  definitions  and  measures  for  the 
parameters  governing  hazard  criticality  from 
the  standpoint  of  the  inspection  process. 

(2)  Demonstrate  the  application  of  system  safety  analysis 
methodology  as  applied  to  a major  commercial  vessel. 

(3)  Identify  and  define  needed  modifications  to  VIIS. 

2.0  PROCEDURE 

The  procedures  used  in  carrying  out  the  study  consisted  of  four 
sequential  steps:  (1)  vessel  selection,  (2)  familiarization  and  Preliminary 
Hazard  Study,  (3)  onboard  safety  study,  and  (4)  analysis  and  reporting. 

2.1  VESSEL  SELECTION 


The  study  vessel  was  selected  by  BCL  subject  to  ratification  by 
the  Coast  Guard’s  technical  steering  committee  for  this  program.  A variety 
of  criteria  governing  the  selection  appeared  over  the  period  of  time  it  was 
being  considered. 

The  Coast  Guard's  original  RFP  specified  that  the  experimental 

t 

vessel  should  be  a modern,  high-speed,  cargo  vessel.  In  BCL's  proposal, 
additional  selection  parameters  were  suggested: 
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"....It  Is  desirable  to  select  a vessel  which  incorporates 
features  that  offer  a wide  range  of  potential  hazards  which 
could  impact  the  full  range  of  parties  at  risk.  This 
implies  a vessel  which  carries  a wide  variety  of  cargo  types 
and  includes  a wide  variety  of  subsystems.  Also,  to  facil- 
itate obtaining  pertinent  vessel  data,  the  vessel  design  and 
construction  should  have  been  carried  out  by  United  States 
companies  and  shipyards." 

The  final  selection  was  based  on  three  additional  criteria  which 
evolved  as  various  types  of  vessels  were  specifically  considered. 

Methodology  Challenge.  The  vessel  type  should  strongly 
challenge  the  analysis  methodology.  To  do  so,  the  vessel 
should  not  only  be  of  modern  design  but  should  reflect 
some  aspect  of  advancing  technology,  such  as  use  of 
advanced  materials,  handling  of  new  types  of  hazardous 
cargoes,  or  use  of  advanced  means  of  propulsion  or  vessel 
control.  Also,  the  vessel  type  should  incorporate  sub- 
systems that  are  sufficiently  complex  that  hazards  will 
by  nonobvious,  i.e.,  their  detection  requires  exercise  of 
rigorous  analytical  methods  and  the  ability  to  conceptu- 
alize accident  chains  freely. 

Accident  Impact.  The  vessel  type  should  be  such  that  the 
potential  accidents  have  the  highest  impact  from  the  stand- 
point of  the  Coast  Guard's  safety  responsibilities.  There 
are  two  impact  elements  to  be  considered;  part ies-at-risk 
and  environmental  risk.  A vessel  type  would  be  most  sig- 
nificant with  respect  to  this  criterion  if  the  accidents 
it  is  likely  to  have  characteristically  threaten  (1)  severe 
damage  to  the  general  public,  as  well  as  the  vessel,  crew, 
and  cargo;  and  (2)  a spill  polluting  the  marine  environment 
and  atmosphere. 

Expected  Proportionate  Population.  The  vessel  type  should 
be  of  growing  importance  in  commerce,  handling  a significant 
share  of  the  total  cargo  hauled  over  water.  It  should  be 
representative  of  a substantial  part  of  the  foreseeable 
future  population  of  the  types  of  ships  in  the  merchant 
fleet — not  a one-time-only,  highly  unique  class. 

In  the  search  for  a vessel  meeting  these  criteria,  four  types  were 
examined:  (1)  large  tankers  which  feature  the  technology  of  " jumboization" , 

(2)  handy-size  special-purpose  tankers  which  feature  the  technology  of  han- 
dling and  managing  multiple,  hazardous  cargoes,  (3)  tankers  designed  for 
hauling  liquidied  natural  gas  (LNG)  which  feature  the  technology  of  LNG 
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containment  and  management,  and  (4)  containerships  which  feature  the  tech- 
nology of  container  handling  and  shipboard  stowage.  All  these  types  offered 
a good  challenge  to  the  safety  analysis  methodology. 

From  the  standpoint  of  the  kind  of  hazards  most  likely  to  be  con- 
trollable by  inspection  as  opposed  to  design,  the  BCL  team  concluded  that  the 
special-purpose  tanker  type  offered  the  richest  and  most  productive  challenge  i 

because  of  the  multiplicity  of  kinds  of  hazards  present.  This  conclusion 
was  based  on  the  variety  of  cargoes  handled;  their  characteristic  intrinsic 
hazardousness,  both  separately  and  in  combination;  and  the  physical  and 
operational  complexity  of  the  cargo-handling  systems  involved.  It  was  decided 
that  the  best  choice  would  be  a vessel  whose  cargo-handling  system  includes 
a pump  room  where  several  pumps  are  installed  with  associated  manifolding  and 
valving  since  this  is  a recognized  high  hazard  feature  of  modern  tankers. 

Accidents  involving  this  type  of  vessel  are  often  collisions  or  groundings 
in  high  traffic  areas  close  to  population  centers  ashore  so  the  general  public 
is  threatened  by  the  fires  and  explosions  and  toxic  release  potential  of 
such  accidents.  Further,  this  class  of  vessel  is  of  growing  commercial  impor- 
tance as  revealed  by  projected  building  plans,  as  well  as  trends  in  commodity 
traffic  data. 


A suitable  vessel  of  this  type  was  located  and  the  cooperation  of 
her  owners  was  solicited  and  obtained.  By  agreement  with  the  owners,  she 
will  remain  anonymous  in  this  report  being  referred  to  simply  as  the  "STUDY 
VESSEL".  She  is  of  38,000  tons  displacement,  660.17'  length  overall,  90.17' 
extreme  width,  and  36.65'  summer  draft.  She  has  a cargo  system  consisting 
of  12  wing  tanks  and  15  center  tanks,  totaling  a liquid  product  carrying 
capacity  of  329,000  barrels  at  98  percent  full.  The  cargo-handling  system 
consists  of  5 centrifugal  and  3 reciprocating  pumps  in  an  after  pump  room 
and  13  deep-well  pumps  located  on  the  main  deck  over  the  tanks  they  serve. 
She  carries  a large  variety  of  petroleum  and  chemical  products  on  a fixed 
route  between  a port  on  the  Gulf  Coast  and  a terminal  at  a petrochemicals 
processing  complex  in  the  Northeast.  The  full  round  trip,  including  loading 
and  unloading,  takes  approximately  12  days;  the  northbound  run  is  loaded 
while  southbound  is  in  ballast.  She  is  steam  turbine  powered.  The  general 
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hull  arrangement  is  conventional  with  house  and  propulsion  aft.  She  is  10 
years  old  having  been  built  by  Bethlehem  Steel  at  Sparrows  Point  and  put  in 
service  in  1966.  In  the  period  she  has  experienced  no  casualties  of  signif- 
icance to  this  study  and  has  not  been  modified.  A more  complete  description 
of  the  vessel  and  her  systems  is  given  in  appendix  A.  Also  included  in  that 
appendix  is  a review  of  the  vessel's  history,  service,  and  the  specific 
operating  phases  comprising  her  service  cycle. 


2.2  FAMILIARIZATION  AND  PRELIMINARY 
HAZARns  STUDY 

After  selecting  the  vessel,  the  study  team  was  formed  consisting 
of  the  authors  of  this  report.  The  following  familiarization  steps  were 
carried  out: 

• Coast  Guard  Documentation.  A complete  file  on  microfiche 
of  the  Coast  Guard's  initial  documentation  concerning  the 
STUDY  VESSEL  was  obtained  and  studie..  This  included 
plans  and  drawings,  specifications,  and  test  schedules 
and  results. 

• Owner  Familiarization.  The  owner's  maiii  offices  were 
visited  to  interview  key  individuals  concerned  with  the 
safety  and  operation  of  the  vessel  and  to  study  the 
documents  and  files  concerning  the  vessel  maintained  by 
the  home  office. 

• Vessel  Familiarization  Visit.  The  study  team  visited 
the  vessel  for  a day  while  she  was  unloading  at  the 
northern  terminal.  A general  inspection  of  the  ship 
was  carried  out;  interviews  were  held  with  the  Chief 
Mate  and  Chief  Engineer;  and  arrangements  were  final- 
ized for  the  team's  subsequent  cruise  aboard  the 
vessel  to  do  the  safety  job. 

During  and  immediately  following  these  familiarization  steps,  the 
team  carried  out  a preliminary  hazards  analysis  of  the  STUDY  VESSEL.  Its 
purposes  were  to  list  the  main  hazards  in  the  vessel  in  her  various  opera- 
tional phases  and  to  order  these  into  a top-level  accident  environment.  In 
connection  with  this  study,  the  vessel's  main  systems  and  their  involvement 
in  the  different  accident  categories  were  defined  and  described.  Appendix  B 
of  this  report  gives  the  main  system  breakdown  used. 

Based  on  this  study,  preliminary  decisions  were  made  as  to  which  of 
the  vessel's  systems  would  be  studied  in  detail  and  which  category  of  acci- 
dents would  be  used  in  making  the  detailed  study.  At  this  point,  it  was 
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decided  to  concentrate  the  safety  analysis  on  accidents  involving  fires  or 
explosions  in  the  cargo  and  cargo-transfer  system.  The  decision  was  based 
on  the  technical  complexity  of  the  system  and  phenomena  involved  which 
seemed  to  offer  the  best  corpus  on  which  to  try  the  system  safety  analysis 
techniques  and  on  the  current  criticality  of  this  class  of  accidents  to  the 
Coast  Guard's  vessel  safety  program. 

2.3  ONBOARD  SAFETY  STUDY 

The  study  team  boarded  the  vessel  shortly  after  it  arrived  at  its 
northern  terminal  and  began  the  unloading  process;  they  observed  the  unload- 
ing and  then  rode  the  vessel  on  its  southbound  voyage  leaving  shortly  after 
the  ship  tied  up  and  began  the  job  of  loading  cargo.  During  the  voyage,  the 
team  observed  in  detail  all  the  operations  concerned  with  the  cargo  system, 
i.e.,  ballasting,  washing  down  empty  tanks,  handling  cleaning  slops,  gas- 
freeing,  cleaning  tanks,  and  conducting  a number  of  other  cargo  system  main- 
tenance operations  (including  a major  job  of  renewing  the  expansion  joints 
in  most  of  the  main  deck  cargo  piping).  The  onboard  cargo  system  administra- 
tion/accountability setup  was  examined  in  detail  with  special  reference  to 
safety  responsibilities  and  their  manner  of  discharge.  Informal  discussions, 
many  in  considerable  depth,  were  held  with  officers  and  crewmen  concerning  a 
variety  of  safety  matters  and  past  experiences.  The  attitude  and  cooperative- 
ness of  all  the  people  aboard  the  STUDY  VESSEL  were  outstandingly  good- -they 
took  a real  Interest  in  the  study  and  its  purposes  and  were  anxious  to  be  of 
help . 

In  addition  to  the  attention  given  the  cargo  and  transfer  system, 
the  ship's  other  systems  were  studied  to  further  confirm  and  refine  the  pre- 
liminary hazards  study  and  to  get  a clear  picture  of  all  the  interface  situa- 
tions between  the  cargo  system  and  other  ship's  systems. 

The  study  team  devoted  onboard  time  to  the  structuring,  in  prelim- 
inary form,  of  logic  trees  describing  several  potential  cargo  system  acci- 
dents and  to  developing  the  first  steps  of  an  HMEA  tabulation  of  cargo  system 
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hazards.  Full  advantage  was  taken  of  being  on  the  ship  to  check  the  detailed 
considerations  evoked  by  the  trees  and  tabular  formats  of  these  hazards  anal- 
ysis techniques. 

2.4  ANALYSIS  AND  REPORTING 


The  safety  analysis  consisted  of  carrying  out  the  following  steps: 

(1)  Review  and  formalization  of  the  top-level  accident 
array  pertaining  to  commercial  vessels 

(2)  Preparation  and  analysis  of  logic  trees  covering  the 
fire  and  explosion  accident  situations  postulated 
for  the  cargo  system  and  pump  room 

(3)  Preparation  and  analysis  of  an  HMEA  for  the  principal 
subsystems  and  components  of  the  cargo  system 

(4)  The  construction,  based  on  the  above  analyses,  of  a 
safety  critical  profile  for  the  STUDY  VESSEL'S  cargo 
system. 

(5)  Preparation  of  a critique  on  the  susceptibility  of 
the  STUDY  VESSEL  to  the  safety  analysis  techniques 
employed  giving  guidelines  for  the  most  effective  use 
of  those  techniques. 

Following  the  conduct  of  those  analysis  steps,  the  present 
report  was  prepared. 


3.0  RESULTS 

The  result.;  of  the  safety  analysis  are  presented  in  a format 
parallel  to  that  of  the  task  objectives  stated  in  Section  1.2,  namely,  (11 
a description  of  the  STUDY  VESSEL'S  SCP  for  the  vessel  system'hazard  category 
studied  with  supportive  discussions  of  inspection  data  developed,  power  of 
the  analysis  methodologies  for  generating  the  intended  output,  and  an  anal- 
ysis of  the  parameters  governing  criticality;  (2)  an  appraisal  of  the  study's 
utility  as  a demonstration  of  system  safety  analysis  for  a commercial  vessel; 
and  (3)  identification  and  definition  of  needed  modifications  to  VIIS. 


] 
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3.1  INSPECTION  CRITERIA— AN  EXAMPLE  SCP 

The  example  SCP  generated  In  this  study  is  of  limited  scope  In 
that  it  pertains  only  to  inspection  activities  in  the  STUDY  VESSEL'S  cargo 
system  with  respect  to  the  general  hazard  of  fire  and  explosion.  The  tech- 
niques used  in  developing  it  are  judged  to  be  tractable  to  expansion  to  all 
the  other  vessel  systems  and  all  six  types  of  general  hazards. 

The  profile  that  resulted  from  this  study  is  portrayed  in  Figure  1-1 
in  a screen  format  to  show  how  the  information  might  be  presented  to  a VIIS 
user.  Its  structure  is  that  of  a grouped  listing.  The  list  is  composed  of 
the  names  of  failures  for  the  inspector  to  attempt  to  discover  using  suitable 
methods  of  examination  and  testing.  Thus,  the  nomenclature  has  been  worked 
out  to  convey  more  than  merely  the  name  of  a thing  or  subsystem  to  be  inspected. 
The  criterion  for  inspection  action  is  also  implied. 

The  groups  into  which  the  list  is  divided  are  the  priority  cate- 
gories that  were  determined  from  a criticality  analysis  procedure  discussed 
in  Section  3.4.  Although  this  procedure  produces  a finer-grained  variation 
than  is  reflected  in  Figure  3-1 's  grouping,  it  was  considered  infeasible  from 
the  standpoint  of  practical  inspection  procedures  for  the  inspector  to  be 
able  to  respond  effectively  to  more  than  two  priority  categories  above  the 
normally  significant  list  of  inspection  items. 

The  items  listed  in  the  priority  1 and  2 categories  would  be  stored 
in  VIIS  as  an  explicit  part  of  the  information  contained  in  the  "Vessel 
Inspection  Critical  Profile"  segment  of  the  data  base.  No  change  in  VIIS's 
design  is  required  to  accommodate  this. 

3.2  INSPECTION  RELATED  DATA 

The  data  upon  which  a system  safety  analysis  depends,  if  quantitative 
solutions  whose  numbers  have  real  validity  are  being  sought,  are  frequency 
information  concerning  accident-initiating  failures  and  cost  information 
concerning  accident  consequences.  Of  those  two  categories,  the  frequency 
information  is  the  most  important.  This  system  safety  analysis  proved  to 
have  these  same  data  needs. 
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Ho  applicable  data  on  the  frequency  of  the  accident-initiating 
failures  Identified  In  this  study  were  discovered.  The  failures  were  in  two 
general  categories:  (1)  Those  creating  a barrier-free,  combustible  fume  path 
such  that  an  ignition  could  propogate  into  a closed  tank  or  to  a sustaining 
fuel  source  and  (2)  Those  providing  the  requisite  ignition.  Typical  of  the 
first  category  is  the  failure  "flame  arrest  screen  wasted  and  ineffective"; 
of  the  second  is  "ungrounded  metal  objects  in  space."  No  records  were  found 
where  failure  frequency  information  of  that  kind  had  been  collected.  In  fact, 
no  significant  collection  of  any  failure  frequency  information  for  commercial 
vessels  at  the  component  or  subcomponent  levels  of  detail  are  known  to  exist. 
For  this  reason,  the  analysis  was  carried  out  using  qualitative  techniques. 
With  such  techniques,  experience  and  judgement  of  individuals  knowledgeable 
in  the  area  are  used  as  surrogates  for  quantitive  data. 

As  will  be  discussed  in  the  next  section  of  this  report,  these 
qualitative  techniques  produced  plausible,  consistent  results  in  which  it  is 
believed  the  Coast  Guard  can  have  confidence.  However,  a system  safety 
analysis  (or  any  kind  of  system  analysis)  improves  in  its  ability  to 
assist  in  the  making  of  decisions  to  the  extent  that  it  can  be  switched  to  a 
quantitative  basis.  Accordingly,  one  of  the  important  implications  of  the 
Coast  Guard's  adopting  a system  safety  approach  as  a part  of  its  vessel  safety 
program  is  that  pertinant  failure  data  could  conveniently  be  accummulated  in 
VlIS's  central  data  base  over  a period  of  time.  The  Coast  Guard  safety  anal- 
ysis program  could  progressively  be  switched  to  this  quantitative  base.  The 
initial  qualitative  studies  could  define  the  failure  data  that  are  pertinent 
and  should  be  collected  thus  making  the  best  use  of  data  collecting  resources. 
VIIS,  as  now  designed,  is  capable  of  providing  the  accumulating  and  organizing 
capability  required  and  is  estimated  to  have  adequate  capacity  to  store  the 
data. 

3.3  APPLICABILITY  OF  THE  ANALYSIS 

TECHNIQUES  TO  COMMERCIAL  VESSELS 

The  system  safety  analysis  techniques  employed  in  this  study  were 
readily  and  effectively  applied  to  the  STUDY  VESSEL.  Although  difficulties 
in  details  of  techniques  were  encountered,  they  were  neither  greater  nor  less 
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than  difficulties  that  Battelle  researchers  have  experienced  In  adapting 
system  safety  analysis  techniques  to  the  urban  mass  transit,  railroad,  and 
natural  gas  pipeline  modes  of  transportation.  Several  distinct  patterns  or 
guidelines  for  the  use  of  the  techniques  In  connection  with  commercial 
vessels  emerged. 

Three  analysis  techniques  were  used  In  carrying  out  this  study: 
preliminary  hazards  analysis  (PHA) , hazard  mode  and  effect  analysis  (HMEA) , 
and  fault  ''ree  analysis  (FTA) . The  last  of  these  was  termed  "logic  tree 
analysis"  this  report  as  the  authors  consider  this  a more  accurate  des- 
criptive r.a..  i. A PHA  uses  a tabular/ textual  format  to  list  the  main  hazards 
that  must  be  considered  with  respect  to  a system  and  to  characterize  them 
In  various  ways  so  as  to  set  design  criteria,  operational  safety  objectives 
or,  as  in  the  case  of  the  study,  the  relative  effectiveness  of  various  means 
of  controlling  the  hazards  such  as  the  Inspection  function.  An  HMEA  also 
uses  a tabular  format  to  list  hazardous  components  and  subsystem  failures 
and  make  a systematic  Investigation  of  the  effects  of  such  failures  and  their 
relative  criticality.  The  end  purpose  of  an  HMEA  is  to  help  guide  decisions 
as  to  the  most  effective  use  of  resources  In  subduing  the  hazards  In  the 
system.  Since  the  analysis  logic  flow  proceeds  from  the  specific  (component 
failures)  to  the  general  (system  level  accident  effects)  It  is  properly 
described  as  Inductive  analysis.  Logic  tree  analysis  is  the  reverse;  it  is 
a deductive  process  in  which  the  analyst  postulates  an  undeslred  system  event-- 
an  accident — as  an  effect  and  then  explores  the  possible  causes  of  the 
event  through  successive  subdivisions  of  detail  until  the  Inltating  failures 
that  could  cause  the  accident  are  revealed.  The  symbolic  logic  diagram  or 
"tree"  is  a convenient  and  powerful  form  of  notation  for  this  mode  of  anal- 
ysis. Its  end  purpose  is  to  reveal  the  multiple  event  chains  that  can  cause 
accidents  (the  HMEA  can  only  handle  single-event  accidents)  and  portray  them 


* The  orderly  practice  of  system  safety  analysis  is  beset  by  more~than-usually 
severe  problems  of  redundant  and  confusing  terminology  thought  of  and  applied 
by  various  practitioners.  A PHA  is  otherwise  known  as  a "gross  hazards 
analysis",  or  an  "accidental  environment  analysis";  many  authorties  point 
out,  with  strong  justification,  that  the  HMEA  is  identical  to  the  reliability 
engineer's  failure  mode  and  effects  analysis  (FMEA) ; and  many  workers,  including 
the  authors  of  this  report  have  tried  to  do  away  with  the  unfortunately  loaded 
term  "fault  tree". 
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in  convenient  form  for  qualitative  engineering  study.  The  logic  diagram, 
if  properly  structured,  is  also  a rigorous,  symbolic  representation  of  the 
mathematical  process  by  which  the  probability  of  the  top  event  accident  can 
be  calculated  given  the  probability  of  the  root  causes.  Thus,  this  form 
of  analysis  also  lends  Itself  to  quantitative  studies  of  hazards  and  their 
characteristics . 

In  the  present  study  the  analysis  techniques  functioned  in  a 
manner  complementary  to  each  other;  each  played  an  essential  role  in  obtaining 
and  supporting  the  findings.  The  PHA  served  to  scope  the  study  and  provided 
initial  guidance  as  to  the  relative  significance  of  the  Inspection  function 
in  controlling  fire  and  explosion  hazards  in  the  STUDY  VESSEL'S  cargo  system. 
This  is  a necessary  prelude  or  first  step  in  any  safety  analysis.  The  results 
of  the  PHA  are  considered  to  be  broadly  applicable  to  this  class  of  commer- 
cial vessels.  It  is  believed  that  a standardized  set  of  general  hazards 
and  their  assessment  might  be  established  in  the  Coast  Guard  vessel  safety 
program  so  the  PHA  would  not  need  to  be  re-done  for  each  new  vessel  coming 
into  service. 

The  HMEA  technique  was  highly  effective  in  focussing  on  inspection 
matters  since  its  starting  point  is  a hypothesis  about  inspectable  failures 
that  might  occur.  However,  the  HMEA  was  severely  hampered  because  of  its 
inability  to  comprehend  multiple  event  accidents--the  ones  most  encountered 
in  considering  fire  and  explosion  hazards.  On  the  other  hand,  the  logic  tree 
approach  proved  highly  adept  and  flexible  in  dealing  effectively  with  this 
kind  of  complexity.  The  logic  tree  approach  seemed  to  the  authors  considerably 
more  powerful  a tool  for  identifying  the  root  cause  conditions  in  initiating 
accidents  and  comparing  their  criticality.  The  main  detriment  associated 
with  logic  tree  analysis  was  that  it  is  inherently  overly  comprehensive-- 
the  analyst  finds  himself  studying  matter  not  germane  to  his  problem  in 
order  to  construct  a good  logic  tree  for  an  accident.  The  logical  rigor 
imposed  by  the  tree  construction  process  makes  the  analyst's  Job  demanding 
and  expensive  both  as  to  professional  staff  cost  and  time  costs.  Any  decision 
made  to  employ  a logic  diagram  analysis  should  be  made  recognizing  this  cost 
Increment  over  other  forms  of  safety  analysis. 
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As  noted  in  the  previous  section,  all  analysis  techniques  were  applied 
in  an  essentially  qualitative  way  because  of  the  sparseness  of  relevant  data. 

This  consideration  plus  those  discussed  in  the  foregoing  led  to  the  follow* 
ing  tentative  guidelines  for  conduct  of  system  safety  analyses  with  commercial 
vessels: 

(1)  Always  conduct  a PHA  as  a first  step  to  scope  the  exer- 
cise, define  the  accident  types  to  be  considered,  identify  j 

[ the  interfaces  involved,  and  define  the  main  hazards  to  be 

dealt  with.  ; 

i 

(2)  Utilize  the  accident  logic  diagram  as  the  principal  anal- 
ytical technique  so  the  strategy  of  the  study  is  essen- 
tially deductive.  Complement  this  with  HMEA  examinations 

! of  subsystems  and  components. 

(3)  Be  willing  and  prepared  to  proceed  with  qualitative  anal- 

' ysis  techniques  as  Illustrated  in  this  study. 

i 

(4)  Scope  studies  carefully  to  avoid  excessive  labor.  Properly 

i applied,  the  techniques  work  well  with  limited  scope  because 

they  handle  interfaces  effectively.  It  is  not  necessary  to 
study  a complete  vessel  if  one  is  concerned  only  with  the 
cargo  system. 

3.4  CRITERIA  FOR  CRITICALITY 


The  "criticality"  at  issue  in  this  study  is  the  relative  importance  of 
Inspecting  for  a given  failure.  The  criticality  analysis  sought  to  answer 
the  question  "given  a number  of  failures  that  could  cause  accidents  at  various 
levels  of  severity,  which  is  the  most  important  to  Inspect  for,  which  next, 
and  so  on?"  The  failures  referred  to  are  not  accidents.  They  are  failures 
of  equipment  or  structure  which  could  lead  to  an  accident  in  service.  In 
this  context,  shell  plating  wasted  to  less  than  the  minimum  allowable  thick- 
ness would  be  such  a failure. 

In  the  present  study,  the  following  criteria  were  found  to  be  significant 

I I 

to  assessing  the  criticality  of  inspecting  for  a failure. 

• Hazard  Severity.  The  relative  severity  of  the  consequences 
of  the  accident  that  would  result  from  activation  of  the 
hazard.  A hazard  severity  classification  scheme  was  developed 
during  this  study  and  is  described  in  the  section  covering  the 
conduct  of  the  preliminary  hazard  analysis.  The  higher  the 
severity  the  greater  the  criticality. 
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• Impact  of  Inspection  on  Failure  Probability.  The  degree  to 
which  the  inspection  process  can  favorably  alter  the  probability 
of  occurrence  of  the  failure.  This  basically  has  to  do  with  how 
much  control  the  Inspection  process  is  able  to  exert  over  the 
hazard  by  discovering  the  failure  and  getting  it  restored.  The 
assessment  depends  on  how  long,  with  respect  to  the  inspection 
interval,  the  restoration  is  expected  to  last.  A ullage  cap 
found  improperly  installed  by  an  inspector  may  be  corrected  on 
the  spot  but  then  it  may  be  used  and  reinstalled  improperly 
again  the  next  day.  On  the  other  hand,  a vapor  leak  path  caused 
by  a badly  corroded  weld  joint  at  a tank  penetration  would  be 
restored  by  welding  new  material  in  place — a restoration  that 
should  last  a matter  of  years,  well  beyond  the  interval  to  the 
next  inspection.  In  the  former  case  the  inspection  process  has 
exerted  almost  no  control  over  the  hazard  involved  whereas  in 
the  latter  case  virtually  complete  control  has  been  obtained. 

The  criterion  should  be  applied  so  that  inspection  effort  is 
spent  first  on  high  control  effectiveness  items. 

• Combinations  Required.  The  failure  combinations  required  to 
initiate  the  accident.  Some  failures  can  precipitate  the  accident 
of  concern  by  themselves;  these  are  termed  "single-failure" 
accidents.  In  other  cases,  the  failure  cannot  by  itself  cause 
the  accident;  some  other  one  must  occur  at  the  same  time.  For 
example,  a fire  requires  the  simultaneous  presence  of  a combustable 
vapor  (a  failure  of  some  kind  causing  a leak)  and  a source  of  ig- 
nition. These  are  termed  "two-failure"  accidents.  A two-failure 
accident  is  less  probable  than  a single  failure  accident  hence 
failures  in  the  single  failure  class  are  considered  more  critical 
to  inspect  for  than  those  in  the  multiple  failure  class. 

These  three  criteria  were  used  qualitatively  in  arriving  at  the  SCP 
presented  in  the  foregoing  section.  The  criteria  are  mixed  in  that  some 
are  keyed  to  safety  considerations  whereas  others  are  related  to  matters 
of  effectiveness  in  use  of  inspection  resources.  In  applying  these  criteria 
the  project  team  weighed  them  uniformly. 

3.5  UTILITY  OF  THIS  STUDY  AS  A DEMONSTRATION 

This  study  is  considered  to  have  served  its  purposes  adequately  as  a 
demonstration.'  The  applicability  of  system  safety  analysis  techniques  to 
commercial  vessels  has  been  shown;  their  ability  to  generate  an  SCP  has 
been  confirmed;  and  their  probable  impact  on  the  design  of  VIIS  (to  be 
covered  in  the  next  subsection)  has  been  measured.  The  demonstrations 
as  to  these  matters  are  considered  credible  by  the  research  team. 
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There  was  some  concern  about  the  study's  usefulness  when  it  became 
apparent  to  the  study  team  that  the  hazards  Identified  in  the  course  of  the 
work  did  not  include  new  or  unsuspected  ones  of  significance.  It  had  been 
expected  at  the  outset  that  the  investigation  would  turn  up  some  interesting 
surprises,  thereby  lending  credence  to  the  claim  that  systems  safety  analyses 
are  capable  of  spotting  hazards  in  novel  technology  systems  where  no  accident 
history  is  available;  that  such  surprises  did  not  materialize  had  the  effect 
of  an  anticlimax.  For  a time,  this  obscured  the  significance  of  the  study's 
main  result — the  development  of  a structured,  prioritized  recitation  of 
detailed  fire/explosion  hazards  in  the  STUDY  VESSEL'S  cargo  system  which 
spans  and  goes  beyond  the  experience  base  on  hazards  in  this  type  of  vessel. 
It  was  developed  through  the  rigorous  use  of  system  safety  analysis  tech- 
niques. The  fact  that  it  effectively  captures  what  experience  and  expertise 
would  be  able  to  offer  using  traditional  approaches  to  safety  assurance  is 
considered  strong  testimony  to  the  efficacity  of  the  system  safety  approach 
in  identifying  hazards. 

This  is  not  to  say  that  this  study  is  a candidate  to  serve  as  a 
reference  work  upon  which  to  base  the  implementation  of  system  safety 
analysis  procedures  in  the  Coast  Guard'u  vessel  safety  program.  It  cannot 
do  that  because  of  its  limited  scope  (one  casualty  type,  one  ship  system, 
and  one  ship) . A body  of  work  encompassing  a much  greater  range  of  example 
analyses  would  be  required  to  perform  the  basic  reference  function  effect- 
ively. The  entire  accident  spectrum  should  be  investigated  for  all  the 
systcMS  in  several  vessels  representing  the  principal  types  in  commercial 
service.  A vessel  system  safety  study  carried  out  in  a scope  of  this  magni- 
tude could  result  in  a comprehensive  documentation  of  example  safety  analysis 
exercises  for  commercial  vessels.  Such  documentation  would  provide  direct 
guidance  for  investigations  the  Coast  Guard  might  wish  to  conduct  internally; 
it  could  be  referenced  in  situations  in  which  the  Coast  Guard  might  specify 
that  a vessel  system  safety  study  be  conducted  by  others  as  a means  of  com- 
pliance with  a safety  requirement. 
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3.6  POTENTIAL  IMPACTS  ON  VIIS 

The  results  of  the  safety  analysis  are  expected  to  affect  the  design 
of  VIIS  in  three  ways. 

First,  the  system  must  provide  capability  for  entry,  update  and  retrieval 
of  an  SCP  for  each  vessel  in  the  system  as  appropriate.  This  amounts  to  the 
addition  of  one  more  "product"  to  those  already  provided  in  the  system.  VIIS 
has  been  designed  with  the  flexibility  to  add  and  delete  products  of  this 
kind  without  any  impact  on  the  system's  software  or  hardware. 

Second,  the  system  must  be  able  to  accumulate  f/^ilure  data  from  the 
field  in  the  manner  noted  in  the  discussion  in  .section  3.2.  The  capability 
for  performing  this  function  is  already  incorporated  in  the  VIIS  design  as 
the  Vessel  File  Damages/Defects  Log. 

Third,  it  may  be  found  advantageous,  if  system  safety  practices  become 
a part  of  the  Coast  Guard's  vessel  safety  program,  to  Incorporate  the  capa- 
bility to  solve  logic  trees  in  VIIS.  Such  a capability  would  become  an 
integral  part  of  the  system's  array  of  analysis  programs.  Note  that  this 
capability  would  probably  not  be  of  direct  usefulness  in  the  inspection 
program.  Rather,  it  would  be  exercised  in  connection  with  plan  review 
activities . 

A discussion  of  how  the  VIIS  Implementation  plan  should  be  modified  to 
incorporate  the  above  features  is  Included  as  Appendix  C. 

4.0  SYSTEM  SAFETY  ANALYSIS 

The  purpose  of  any  system  safety  analysis  procedure  is  to  assist 
In  determining  the  most  effective  use  of  available  resources  to  assure  the 
safe  operation  of  the  system  involved.  In  this  case,  the  "system"  is  the 
STUDY  VESSEL  and  the  available  resources  consist  of  the  Coast  Guard's 
inspection  function — its  personnel,  facilities,  and  regulatory  authority. 

The  inspection  function  can  affect  directly  only  the  materiel 
condition  of  the  ship;  consequently,  of  all  the  accidents  that  might  occur 
to  the  STUDY  VESSEL,  only  those  triggered  by  materiel  failures  can  be 
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prevented  through  Inspection.  This  is  the  inherent  scope  of  inspection's  j 

capacity  to  assure  safe  operation  of  the  system.  Inspection  cannot  prevent  ] 

accidents  occurring  because  of  crew  mistakes  in  operating  or  navigating  | 

i 

the  vessel  nor  can  it  prevent  accidents  caused  by  inadequacies  in  the 
vessel's  original  design.  In  fact,  the  most  apt  description  of  the  inspec- 
tion function's  hazard  control  scope  is  that  it  operates  on  those  hazards 
arising  due  to  the  vessel's  going  in  any  manner  to  an  off-design  materiel 
condition.  Note  further  that  this  process  is  necessarily  discontinuous — 
the  effective  inspection  interval  is  on  the  order  of  six  months  to  a year — 
so  off-design  degradations  are  permitted  by  the  process.  The  severity  to 
which  they  are  allowed  to  develop  is  limited  by  the  inspection  interval. 

Within  this  field  of  action,  then,  the  purpose  of  system  safety 
analysis  is  to  help  choose  the  inspection  procedures  that  will  make  the 
most  effective  use  of  the  inspector's  time  and  the  Coast  Guard's  regulatory 
authority  in  controlling  hazards.  This  is  an  optimization  objective  the 
recognition  of  which  led  to  the  concept  that  the  specific  failure  items  to 
be  Inspected  for  on  the  STUDY  VESSEL  could  be  rank-ordered  by  a criterion 
of  Importance  for  inspection.  This  concept,  in  turn,  led  to  the  idea  of 
structuring  the  safety  critical  profile  for  the  vessel  as  discussed 
previously. 

Three  safety  analysis  techniques  were  employed:  (1)  preliminary 
hazards  analysis,  (2)  logic  diagram  analysis,  and  (3)  hazard  mode  and 
effects  analysis.  Using  the  results  of  these  studies,  an  inspection 
criticality  criterion  was  formulated  and  the  inspection  items  were 

rank-ordered  using  it.  Finally,  the  safety  critical  profile  was  developed.  i 

Preceeding  the  conduct  of  these  analyses,  an  examination  of  the 
commercial  vessel  accident  environment  was  carried  out  as  a separate  step 
to  scope  the  subsequent  studies  and  define  the  types  of  accidents  to  be 
considered . 

4.1  THE  COMMERCIAL  VESSEL  ACCIDENT  ENVIRONMENT 

The  accident  environment  in  which  the  STUDY  VESSEL  functioned 

was  examined  first  in  general  terms — a review  of  all  the  types  of  accidents  | 

> 

{ 
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that  might  occur — and  then  specifically  for  the  purpose  of  choosing  the 
accidents  and  systems  to  be  analyzed  In  detail.  The  accident  environment 
Is  portrayed  symbolically  In  Figure  4-1.  The  environment  was  visualized 
as  a three-level  tree  in  which  each  level  shows  more  detailed  subdivisions 
of  basic  accident  types.  In  doing  so,  the  tree  also  Implies  the  categories 
of  parties-at-risk  with  respect  to  each  accident  type.  These  accident  and 
parties-at-risk  categories  were  based  on  traditional  definitions  evolved 
in  Coast  Guard  usage  over  the  years  of  its  operational  responsibility  for 
marine  safety  matters.  In  connection  with  this  study,  the  definitions  of 
the  categories  were  reviewed  and  updated  to  ensure  that  they  cover  all  the 
accidents  and  risk  areas  that  could  conceivably  pertain  to  the  STUDY  VESSEL  j 

and  her  general  class.  | 

I 

The  diagram  was  drawn  with  logic  symbology  because  it  forms  the  | 

top  level  of  accident  analysis  trees  that  were  developed  later  in  the  safety 
study.  The  alphanumeric  locators  designate  "events",  as  described  in  the  i| 

rectangular  boxes,  and  "logic  gates"  as  symbolozed  in  the  OR  symbols.  The  l! 

1 1 

meaning  and  use  of  this  symbology  is  covered  in  Appendix  D of  this  report.  i) 

! I 

For  the  present  disrission,  the  figure's  significant  meaning  lies  in  the  jj 

party-at-risk  categories  and  accident  class  subdivisions  it  portrays.  i 

4.1.1  Party-at-Risk  Categories 

In  the  Coast  Guard's  domain  of  responsibility,  there  are  three 
impact  groups  or  parties-at-risk  that  are  hazarded  by  the  kinds  of  accidents 

I 

that  might  occur  to  the  STUDY  VESSEL.  They  were  defined  more  precisely  ! 

in  the  following  terms: 

• Pub llc-at-Risk . This  category  includes  risk  to  the 
life  and  well-being  of  members  of  the  general  public; 
risk  of  damage  or  loss  to  public  property;  and  risk 
of  damage  to  the  marine  environment. 

• Vessel-at-Risk.  This  category  includes  the  risk  that 
an  accident  will  result  in  damage  to  or  loss  of  the 
vessel  and/or  her  valuable  cargo. 


FIGURE  4-1.  LOGIC  DIAGRAM  PORTRAYING  THE  COMMERCIAL  VESSEL  ACCIDENT  ENVIRONMENT 
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• Crew-at-Rlsk.  This  category  includes  the  risk  that  an 
accident  will  occur  resulting  in  Injury  (including 
fatalities)  to  members  of  the  crew  of  the  vessel  Involved 
or  to  members  of  officially  designated  rescue  and  aid 
parties. 


4.1.2  Accident 


ae  Categories 


The  primary  accident  type  subdivisions  are  discussed  in  the  fol- 
lowing subsections.  Two  of  these  classes,  labeled  B12  and  B31  in  Figure  4-1 
are  classed  as  "secondary  effects"  accidents.  In  these  cases  the  final 
results  of  the  accidents  are  the  same  as  the  "primary  effects"  accidents 
Bll  and  B32  respectively,  hence,  they  are  not  separately  described. 


4.1. 2.1  Hazardous  Cargo  Spills.  This  accident  class  was  defined 
as  including  any  occurrence  resulting  in  release  of  cargo  of  a hazardous 
nature  but  not  involving  damage  to  the  vessel  or  crew.  In  this  context, 
"release"  means  that  a significant  amount  of  cargo  escapes  any  control  meas- 
ures available  and  activated.  In  other  words,  if  cargo  momentarily  escapes 
the  vessel's  containment  system  but  the  spill  is  immediately  contained  so 
that  damage  to  property  and  environment  do  not  result,  then  the  spill  is 
considered  not  to  have  occurred  in  the  terras  of  this  safety  analysis.  The 
term  "hazardous"  in  this  context  refers  to  materials  that  offer  damage  to 
the  marine  environment,  as  well  as  those  that  are  toxic,  explosive,  etc. 

An  intact  vessel  spill  can  occur  in  a variety  of  ways.  The  most  frequent, 
in  the  STUDY  VESSEL'S  class  of  ships,  are  spills  in  connection  with  loading 
and  unloading  operations . Others  occur  as  a result  of  degradation  or 
operational  failures  of  the  cargo  containment  system  (e.g.,  tank  leak  at  a 
corroded  fitting).  This  accident  class  was  also  defined  to  include  intentional 
discharges  as  when  bilges  are  pumped  Illegally.  This  is  not,  strictly  speak- 
ing, an  accident  but  is  included  for  convenience  on  the  rationale  that  an 
Illegal  act  can  be  regarded  as  a human  error  hazard. 

4. 1.2. 2 Collision,  Ramming,  Grounding.  This  is  the  class  of 
accidents  where  as  a primary  event,  the  vessel  strikes  another  object. 
"Collision"  refers  to  striking  another  vessel.  "Ramming"  means  striking 
another  object,  such  as  a pier,  that  is  not  a vessel.  "Grounding"  refers 
to  events  where  the  vessel  contacts  the  bottom  or  the  shore. 
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4. 1.2. 3 Structural  Failure.  This  accident  type  includes  all 
circumstances  where  a vessel  experiences  major  structural  failure  as  a 
primary  event.  A vessel's  breaking  up  in  heavy  seas  due  to  overstressing 
the  hull  strength  members  is  an  example. 

4. 1.2. 4 Flooding,  Capsizing,  Foundering.  This  accident  type 
Involves  a vessel's  losing  buoyancy  or  stability  or  both  as  a result  of 
primary  events  such  as  loss  of  watertight  integrity  or  incorrect  cargo 
load  distribution.  As  a primary  event,  this  type  is  rare;  it  more  fre- 
quently occurrs  as  a secondary  event  after  collision,  ramming,  grounding, 
or  structural  failure. 

4. 1.2. 5 Fire  or  Explosion.  This  accident  type  includes  any 
situation  aboard  the  vessel  where  an  ignition  propogates  explosively  or 
to  a sustained  supply  of  fuel  to  form  a fire. 

4. 1.2. 6 Occupational  Accident.  This  is  any  accident  aboard  the 
vessel  causing  injury  or  death  to  crew  members  but  not  caused  by  a vessel 
casualty. 

4.2  PRELIMINARY  HAZARDS  ANALYSIS 

As  discussed  in  Section  3.3,  the  purpose  of  a PHA  in  a safety 
analysis,  is  to  list  the  main  hazards  that  should  be  considered  with  respect 
to  a system  and  characterize  or  classify  them  in  a variety  of  ways  in  order 
to  set  design  criteria,  define  operational  safety  objectives,  or,  as  in  the 
case  of  this  study,  to  Investigate  the  relative  effectiveness  of  various 
means  of  controlling  the  hazards.  The  means  in  which  there  is  the  greatest 
interest  here  is  inspection.  Others  are:  improved  design,  special  operating 
procedures,  etc. 

In  this  case,  another  special  purpose  of  performing  a PHA  was  to 
confirm  the  tentative  decision  to  concentrate  the  later  detailed  safety 
analysis  effort  on  the  STUDY  VESSEL'S  cargo  system  and  the  accident  category 
"fire  and  explosion".  The  tentative  decision  was  based  on  the  current 
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Importance  of  the  cargo  system — especially  the  pump  room  part  of  It — to  the 
Coast  Guard's  safety  program.  The  PHA  was  able  to  help  re-examine  that 
decision  in  the  context  of  the  complete  hazard  picture  for  the  STUDY  VESSEL. 


4.2.1  PHA  Technique 

The  PHA  utilizes  a tabular /textual  format  of  great  flexibility. 

As  long  as  a broad  hazards-listing  approach  is  taken,  there  are  few  other 
prescribed  factors  to  be  taken  into  account  in  setting  up  the  analyses.  The 
investigator  is  free  to  identify  and  tabulate  those  aspects  of  the  hazards 
that  best  serve  his  purpose.  In  this  study,  seven  such  aspects  were  assessed 

4. 2. 1.1  Vessel  Operating  Phase.  Many  of  the  hazards  are  "active" 
— can  become  accidents — only  during  certain  of  the  vessel's  operating  cycle 
phases.  For  example,  it  is  unreasonable  to  suppose  that  the  STUDY  VESSEL 
would  capsize,  as  a primary  accident,  while  unloading  cargo  at  the  pier. 
Further,  the  severity  of  the  consequences  of  all  the  types  of  accidents  con- 
sidered varies  markedly  from  one  operating  phase  to  the  next.  It  would  be 
worse  to  have  a major  explosion  while  tied  up  at  the  pier  unloading  near 
large  population  centers  than  while  several  hundred  miles  at  sea  so  only 
the  vessel  and  crew  are  hazarded.  Accordingly,  the  STUDY  VESSEL'S  operating 
cycle  was  broken  down  into  phases  and  the  hazards  analysed  with  respect  to 
each  of  the  phases.  The  phases  chosen  for  the  STUDY  VESSEL  are  listed  in 
Appendix  A. 


4.2.1. 2 Hazard  Activation  Modes.  The  circumstances  which  must 
exist  in  order  to  activate  a hazard  reveal  much  about  how  that  hazard  can 
best  be  controlled  and,  of  interest  here,  the  relevance  of  inspection  to 
controlling  it.  Data  required  to  fill  out  this  column  concern  the  types  of 
failures,  omissions,  design  deficiencies,  and  the  like  that  can  be  conceived 
of  to  bring  about  the  accident. 


4. 2. 1.3  Relative  Frequency  of  Accident  Type.  This  factor  assess- 
ment measures  the  level  of  historical  occurrence  of  the  accident  type  in 
vessel  class.  There  are  some  statistics  collected  on  this  toplc_s<r^ 
quantitive  assessment  could  theoretically  be  made.  However,  each  of  the 
hazards  considered  in  the  PHA  is  being  considered  as  a "primary"  hazard — 
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the  accident  being  assessed  does  not  occur  as  a secondary  effect  to  some 
other  casualty.  Available  data  collections  on  vessel  casualties  are  con- 
fusing In  this  respect:  many  chain-type  casualties  are  Indexed  to  their 
secondary  or  tertiary  accident  types  Instead  of  the  primary.  Also,  the 
published  information  is  not  broken  down  by  operating  phase.  Therefore,  a 
considerable  amount  of  judgement  must  go  Into  the  making  of  this  assessment 
and  the  measures  chosen  for  entry  in  the  table  are  not  quantitive  ones. 

4. 2.1. A Potential  Accident  Effects.  This  assessment  column 
indicates  the  expected  effects  of  the  accident  type  under  consideration.  In 
making  this  assessment,  the  probable  secondary  and  tertiary  consequences  of 
the  primary  accident  event  are  taken  into  account.  For  example,  if  the 
accident  event  being  considered  is  "collision",  the  potential  effects 
assessment  recognizes  that,  in  all  probability,  a collision  involving  the 
STUDY  VESSEL  would  result  in  a major  spill  of  hazardous  cargo,  since  cargo 
tanks  would  probably  be  breached  as  a secondary  consequence  of  the  collision. 
In  assessing  potential  accident  effects,  the  structure  of  the  partles-at- 
rlsk  concept  discussed  earlier  was  taken  directly  Into  account. 

4. 2. 1.5  Hazard  Category.  This  characteristic  recognizes  that 
the  hazards  under  consideration  do  not  have  the  same  potential  for  damage  and 
loss.  Some  are  more  r^evere  in  this  respect  than  others.  The  idea  of  there 
being  a gradient  of  severity  among  hazards  is  one  of  the  roost  Important 
bases  of  the  whole  system  safety  approach;  the  most  important  of  the  primary 
reference  documents  codifying  the  ideas  of  system  safety,  MILSTD  886,  pre- 
scribed early  a scheme  for  representing  the  different  severity  levels 
hazards  can  have.  That  scheme  has  been  adapted  by  this  project  team  to  the 
context  of  commercial  vessel  safety.  The  different  categories  and  their 
meaning  are  shovm  In  Table  4-1. 
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again  the  day  after  the  inspection  took  place.  In  the  latter 
the  failure  would  be  readily  detectable  and  would  be  restored 
material  in  the  place — a permanent  repair  lasting  a matter  of 
beyond  the  inspection  Interval. 


case,  however, 
by  welding  new 
years,  well 


The  assessment  of  this  characteristic  for  each  hazard  in  the  PHA 
was  made  using  the  following  ranking  parameters. 

Weak materiel  degradation  is  a zero  or  minor  contribu- 

tor to  hazard  actuation.  Also,  materiel  degrada- 
tion is  of  small  Importance  to  accident  effects 
mitigation  or  containment.  The  hazard  control 
picture  is  dominated  by  use  of  fail  safe  or  high- 
reliability  devices  and/or  use  of  special  pro- 
cedures by  operational  crews. 

Medium materiel  degradation  accounts  for  only  a portion 

of  the  conditions  that  could  activate  the  hazard 
or  mitigate  its  effects. 

Strong materiel  degradations  amenable  to  permanent  re- 

pairs are  the  major  potential  causes  of  activating 
the  hazard. 


f 

4.2.2  Study  Vessel  PHA 

I The  results  of  the  PHA  conducted  on  the  study  vessel  are  shown  in 

the  tabulation  in  Figure  4-2.  Several  significant  insights  about  the  role 
and  pertinance  of  the  inspection  function  were  drawn  from  these  results. 

5 • With  respect  to  primary  hazards,  the  Inspection  function  is 

of  greatest  importance  for  controlling  the  structural  failure 
! hazard,  and  of  considerable  Importance  for  the  flooding- 

capslzing-foundering  and  fire  and  explosion  hazards.  It  has 
little  control  significance  with  collislon-ramming-grounding, 

1 Intact  vessel  spills,  and  occupational  accidents. 


• Since  both  structural  failure  and  fire  and  explosion  are 
frequently-occurring  secondary  hazards — following  collisions — 
the  Inspection  function  takes  on  added  importance  for  effects 
mitigation. 

• The  hazard  picture  for  commercial  vessels  of  the  STUDY  VESSEL'S 
class  is  severe.  Nearly  all  of  them  were  category  IV  hazards 
threatening  more  than  one  of  the  parties-at-risk  in  all  vessel 
operating  modes  assessed. 


• The  roost  severe  overall  hazard  condition  exists  when  the  vessel 
Is  loading  or  proceeding  loaded  in  or  out  of  harbor.  Next  most 


Ship  Systems 
Relative  Involved 

Vessel  Hazard  Frequency  - Primary  Hazard  Degree  of  Remarks  an 
Primary  Operating  Activation  in  Vessel  - Secondary  Potential  Cat-  Inspection  Methods  of 
Hazard  Phase  Modes  Class  - Etc.  Effects  egory  Control  Control 
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FIGURE  4-2.  PRELIMINARY  HAZARDS  ANALYSIS 
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severe  is  unloading.  The  main  influencer  here  is  the  condi- 
tion of  hazardous  cargo  being  close  to  population  centers. 

The  most  hazardous  condition  for  the  vessel  and  crew  at  sea 
is  when  tank  cleaning  operations  are  being  carried  out  during 
the  southbound  voyage. 


4.2.3  Selection  of  Scope  for 
More  Detailed  Safety  Analyses 

The  hazards  picture  drawn  by  the  PHA  strongly  supported  the 
tentative  decision  made  earlier  to  perform  the  more  detailed  safety  analyses 
steps  on  the  STUDY  VESSEL'S  cargo  system  and  deal  only  with  the  primary 
hazard  "fire  and  explosion".  The  need  to  limit  the  detailed  studies  to 
some  such  scope  had  been  recognized  from  the  outset  of  the  program — there 
were  not  enough  resources  to  conduct  a safety  analysis  of  the  entire 
vessel.  The  tentative  scope  selection  was  based  on  recognition  of  the 
current  criticality  to  the  Coast  Guard  of  hazardous  cargo  related 
casualties — especially  those  causing  spectacular  fires.  The  only  concern 
on  the  point  stemmed  from  the  question  of  how  strongly  the  inspection 
function  bore  upon  that  accident  class  in  that  vessel  system.  The  PHA 
showed  a strong  but  not  dominant  role  for  inspection.  This  was  accepted 
as  being  a satisfacotry  situation  for  pursuing  the  objectives  of  this 
research  task. 

4.3  LOGIC  DIAGRAM  ANALYSIS 

The  logic  diagram  analysis  began  with  event  B22  in  the  top  level 
tree  shown  in  Figure  4-1.  The  tree  was  developed  down  from  this  event 
through  the  C and  D levels  in  order  to  identify  the  specific  accidents  of 
concern  in  this  analysis.  Figure  4-3  shows  this  development  and  also  re- 
peats the  complete  top  level  diagram  for  convenience.  Correct  symbology  is 
used  in  this  portrayal  of  the  diagram  to  indicate  the  branches  being  devel- 
oped in  this  analysis.  A discussion  of  how  the  logic  diagrams  are  constructed 
giving  explanations  of  the  symbols  used  is  given  in  Appendix  D. 

The  rationale  behind  the  C-level  development  is  that  the  ship 
systems  most  vulnerable  to  the  fire  and  explosion  hazard  are  those  where 
significant  amounts  of  combustible  materials  (fuel  oil,  combustible  cargo, 
bedding,  clothing)  and  ignition  sources  (flames,  hot  metals,  cookstoves) 


are  normally  present.  Three  of  the  STUDY  VESSEL'S  systems  were  judged  to  be 
in  this  category  and  therefore  would  merit  individual  attention  in  analyzing 
the  STUDY  VESSEL'S  potential  for  experiencing  fire  and  explosion  accidents. 

The  three  are  identified  in  the  diagram  using  symbology  to  indicate  that,  in 
accordance  with  the  scope  decision  discussed  previously,  only  the  cargo 
system  branch,  event  C22,  will  be  developed  further.  The  balance  of  the 
vessel's  systems  are  collected  as  a single  event,  C2A,  to  provide  a path  for 
analysis  of  any  of  them  should  this  prove  significant  to  the  problem. 

The  D-level  development  indicates  how  the  cargo  system  in  the 
STUDY  VESSEL  was  subdivided  in  considering  its  susceptability  to  fires  and 
explosions.  The  pump  room  is  a clearly  separable  part  of  the  cargo  system; 
all  the  fire  and  explosion  events  which  could  potentially  occur  within  the 
physical  confines  of  the  pump  room  space  will  be  developed  from  this  event, 

D21.  Event  D22  is  defined  to  include  all  fire  and  explosion  accidents  occur- 
ring within  any  of  the  STUDY  VESSEL'S  cargo  tanks  or  adjacent  cofferdams. 

Event  D23  was  defined  to  include  fires  and  explosions  occurring  in  conjunc- 
tion with  combustible  cargo's  being  spilled  on  the  main  deck  or  over  the 
side  and  then  being  ignited  in  some  way.  This  subdivision  of  the  cargo 
system  of  the  STUDY  VESSEL  is  intended  to  be  comprehensive,  that  is,  all 
elements  of  the  vess-.  i 's  cargo  system  are  intended  to  be  included  in  one  of 
the  three  named  subdivisions.  For  example,  the  vent  and  main  deck  piping 
systems  are  included  as  a part  of  the  "cargo  tank"  event  for  the  purposes 
of  this  analysis. 

The  diagram  is  truncated  at  the  D-level  with  symbols  indicating 
the  Figure  number  in  this  report  where  the  development  of  each  event  is 
continued.  As  the  development  of  the  logic  diagrams  continues  to  greater 
levels  of  detail,  a large  number  of  failures  and  hazardous  conditions  will  | 

be  identified  at  the  roots  of  the  trees.  These  failures  and  conditions 
are  hypothetical  only.  They  were  identified  as  possibilities  by  the  study 
team  using  analytical  and  conceptual  processes . The  failures  and  hazard- 
ous conditions  were  not  observed  to  exist  on  board  the  STUDY  VESSEL. 

4.3.1  Pump  Room  Fires  and  Explosion  Study 

The  development  of  the  pump  room  branch  of  the  diagram  was  based 
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on  the  study  team's  conceptualization  of  the  ways  In  which  such  events  could 
occur.  In  addition  to  the  physical  familiarization  with  the  pump  room  and 
its  equipment  that  was  acquired  during  the  voyage,  the  team  reviewed  reports 
of  pump  room  casualties  which  have  occurred  in  the  past,  studied  the  provis- 
ions in  the  CFR  46  Subchapter  D,  the  appropriate  sections  in  the  Coast  Guard 
Manual  and  the  Tanker  Safety  Guide,  and  conferred  on  pump  room  operations 
and  safety  practices  with  appropriate  individuals  in  the  STUDY  VESSEL'S  crew. 
With  this  body  of  information  in  hand,  the  development  of  the  pump  room 
accident  diagram  was  carried  out  as  a creative  design  effort. 

Basic  to  the  structure  of  the  D21  diagram  was  the  team's  recog- 
nition that  the  pump  room  could  be  analyzed  independently  of  the  different 
phases  of  the  STUDY  VESSEL'S  operating  cycle.  The  pump  room  is  fully  func- 
tioning during  the  cargo  unloading  phase  but  it  is  used  almost  as  much  during 
the  southbound  cruise  in  connection  with  ballast  management  and  tank  cleaning/ 
preparation  activities,  and  it  is  frequently  activated  for  miscellaneous 
purposes  during  the  other  phases  of  vessel  operation.  Furthermore,  the  basic 
hazardous  condition  in  the  pump  room — the  presence  of  cargo  liquids  in  the 
bilges — is  physically  independent  of  the  vessel's  operating  cycle.  There- 
fore the  pump  room  analysis  is  established  on  a continuous  operation  basis. 

The  hazardous  condition  in  the  pump  room  is  not  complicated.  There 
is  generally  a certain  amount  of  vapor  present  because  of  biJge  accumulations 
— it  can  get  into  the  explosive  concentration  range  under  a variety  of  con- 
ditions. If  an  ignition  source  is  permitted  in  the  vicinity  of  such  vapor, 
a flame  front  may  develop  which  could  propagate  as  an  explosion,  if  there  is 
enough  mixture  dispersed  throughout  the  volume  of  the  pump  room,  or  it 
could  find  its  way  to  a supply  of  fuel  so  as  to  sustain  a fire.  The  STUDY 
vessel's  pump  room  is  equipped  with  a fixed  foam  system  which,  if  activated 
in  time,  could  put  out  the  fire  quickly.  If  this  does  not  happen  for  some 
reason  so  that  the  fire  is  allowed  to  burn  long  enough  to  cause  damage  and 
Interrupt  operations,  then  the  accident  defined  in  event  D21  has  occurred. 

The  above  discussion  describes  a three-path  AND'ed  condition. 

The  diagram  developed  from  event  D21  was  built  with  this  basic  structure 
as  portrayed  in  Figure  4-4.  This  part  of  the  diagram  shows  the  three  con- 
ditions necessary  for  a fire  or  explosion  to  develop  and  also  shows  the 
development  of  event  Ell  "source  of  ignition  present".  This  development, 
and  the  two  others,  are  discussed  in  the  following  subsections. 
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4.3. 1.1  Event  Ell.  Source  of  Ignition  Present.  Five  means  for  getting 
an  ignition  source  into  the  pump  room  were  conceived.  Event  Fll  envisions 
an  actual  combustion  starting  in  the  vent  system  exhause  trunk.  This  could 
occur  if  an  explosive  mixture  flowing  out  the  trunk  were  to  be  ignited,  an 
ANDed  condition  is  indicated  by  the  symbol  for  gate  Gl.  The  ways  by  which 
the  explosive  mixture  might  get  into  the  trunk  are  developed  under  gate  F2; 
this  is  illustrated  in  a subsequent  figure  as  shown  by  the  tran:sfer  symbol. 
The  ignition  might  occur  due  to  an  electrical  malfunction  in  the  motor,  re- 
lease of  an  electrostatic  charge  building  up  in  the  trunk,  or  a friction 
spark  caused  by  impact.  The  study  team  found  no  record  of  such  flashbacks 
in  connection  with  pump  room  vent  systems  but  they  are  known  by  the  team  to 
have  occurred  in  other  vent  systems  on  other  types  of  vessels.  Event  F12, 
though  most  unlikely,  is  still  conceivable.  It  involves  miss-installation 
or  breakage  of  the  lamp  covers  located  in  various  places  on  the  after  bulk- 
head of  the  pump  room.  All  electrical  service  connections  to  those  lamps 
are  on  the  engine  room  side;  what  is  envisioned  here  is  a breach  of  some  kind 
in  the  covers  allowing  vapor  contact  with  the  hot  filament  inside.  Event  F13 
recognizes  the  possibility  of  deteriorated  conditions  affecting  the  moving 
machinery  in  the  pump  room.  Event  F14  covers  all  the  minor  but  disasterous 
personnel  errors  in  pump  room  working  procedures  that  might  be  capable  of 
sparking  a fire.  Event  F15  is  regarded  as  a certainty,  given  a long  enough 
time  period.  Even  in  the  best  disciplined  crew,  the  occasion  will  arise 
when  someone  will  be  unable  to  resist  a temptation  of  the  moment,  or  will 
submit  to  an  unconscious  action,  and  light  up. 

A specific  effort  was  made  to  conceive  of  some  subtle  and  unex- 
pected means  of  getting  an  ignition  into  the  STUDY  VESSEL'S  pump  room — a 
cause  similar  to  the  air  compressor  source  in  the  Texaco  North  Dakota  ex- 
plosion.* No  such  circumstance  came  to  mind.  No  part  of  the  STUDY  VESSEL'S 
pump  room  was  used  for  extraneous  activities  or  stowage  and  the  observed 
discipline  and  behavior  of  crew  members  was  excellent. 

4. 3. 1.2  Event  E12,  Explosive  Mixture  Present.  The  development 

of  this  path  is  shown  in  Figure  4-5.  Three  ways  by  which  an  explosive 

mixture  could  develop  in  the  pump  room  were  conceived.  Before  examining 

these,  one  should  note  that  there  is  some  amount  of  vapor  present  most  of 

the  time  in  the  lower  part  of  the  pump  room.  To  be  hazardous  with  respect 

to  fire  or  explosion,  the  vapor  must  build  up  to  a concentration 

* "MARINE  CASUALTY  REPORT- -Tanksh ip  TEXACO  NORTH  DAKOTA,  Pump  Room  Explosion, 
Gulf  of  Mexico,  October  3,  1973",  Report  No.  USCG/NTSB-MAR-75-5,  National 
Transportation  Safety  Board,  September,  1975. 
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FIGURE  4-5.  EVENT  PATH  E12  DEVELOPMENT --"EXPLOSIVE  MIXTURE  PRESENT" 
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' In  the  explosive  range.  There  are  two  basic  means  of  controlling  this 

hazard:  (1)  keep  the  bilges  cleaned  up  so  there's  no  source  of  vapor  in 
the  first  place,  and  (2)  change  the  air  fast  enough  with  the  vent  system 
so  that  a significant  concentration  can't  form.  Current  regulations  re- 
quire that  the  vent  system  for  tanker  pump  rooms  have  enough  capacity  to 

change  the  air  in  the  room  every  three  minutes.  It  is  not  known  what  the 

criterion  for  setting  this  particular  stringency  level  was.  The  structure 
of  this  part  of  the  diagram  Indicates  that  the  requirement  is  an  Important 
one  worthy  of  searching  review. 

Of  the  three  means  for  developing  an  explosive  mixture  in  the 
pump  room,  the  first,  event  F21,  simply  recognizes  the  possibility  of  a 

failure  in  any  part  of  the  cargo  containment  system  in,  or  contiguous  to, 

the  pump  room.  Should  such  a failure  occur,  a large  amount  of  splashing, 

(agitated  cargo  would  enter  the  pump  room  and  very  likely  form  an  explosive 
mixture.  This  is  a low-probability  primary  occurrence — it  is  much  more 
likely  as  a secondary  failure  following  a collision  or  explosion  in  some 
! other  part  of  the  ship.  The  next  event,  F22,  is  conceivable  though  not 

i known  by  the  study  team  to  have  happened  in  piping  systems  working  at  the 

I 

i pressure  levels  of  the  piping  in  the  pump  room.  If  it  should  happen,  it 

! is  highly  likely  that  the  concentration  in  and  close  to  the  spray  cone 

I area  would  get  into  the  explosive  range  even  if  the  pump  room  blower 

system  were  performing  satisfactorily.  The  third  event,  F23,  is  the  means 
whereby  the  pump  room  fires  and  explosions  have  occurred  in  the  past.  It, 

; therefore,  should  he  regarded. as  the  most  likely  means  of  developing  the 

hazard.  It  is  in  this  branch  that  the  importance  of  the  vent  system  in 
controlling  the  hazard  is  revealed.  The  titling  of  the  event  (G61)  is  sig- 
nificant in  this  connection.  The  companion  event  under  the  AND  gate  (G6) 
i postulates  a vapor  source  in  the  pump  room.  For  the  hazard  to  be  realized, 

[ the  vent  system  must  at  the  same  time  be  "Ineffective".  The  diagram  shows 

1 

j only  the  off-design  conditions  which  might  make  the  vent  system  on  the 

STUDY  VESSEL  ineffective.  Not  shown  is  "inadequate  design  capacity  to 
t control  vapor  concentration".  The  question  of  design  adequacy  is  beyond 

the  scope  of  this  study  but  the  authors  believe  the  validity  of  the  three- 
minute  air-change  specification  should  be  reviewed  because  of  the  evident 
importance  of  the  vent  system  to  the  control  of  the  pump  room  hazards. 
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4.3.1.3  Event  E13»  Foam  System  Not  Effective.  The  foam  system  is 
intended  to  suppress  fires  in  the  pump  room — it  can  do  nothing  about  an  ex- 
plosion. The  meaning  of  "effectiveness"  in  this  event  statement  is  the 
capability  to  put  a pump  room  fire  out  very  quickly  after  the  fire  starts — 
before  any  damage  of  significance  can  have  occurred.  Figure  4-6  shows  the 
development  of  event  E13  which  postulates  Ineffectiveness  of  the  foam 
system. 

There  are  two  ways  whereby  the  foam  system  can  fail  to  work.  The 
first,  event  F31,  is  a materiel  failure  of  some  kind.  The  three  possibilit- 
ies which  the  study  team  conceived  of  are  shown.  Innumerable  electrical 
failures  are  possible;  that  branch  was  not  developed  to  the  primary  level. 
The  second  means  of  failure  would  simply  be  that  the  system  is  not  activated 
in  time  to  be  of  service  in  controlling  the  fire.  The  different  ways  this 
could  happen  all  fall  in  the  human  error  category. 

4.3.2  Cargo  Tank  Fires  and  Explosions  Study 


I 

i 


The  hazard  of  fires  and  explosions  with  respect  to  the  STUDY  VESSEL'S 
cargo  tank  is  made  up  of  the  came  ingredients  as  in  the  pump  room;  namely, 
cargo  vapor  in  the  tank  gets  into  the  explosive  mixture  range  and  then  an 
ignition  source  is  introduced  into  the  mixture.  In  most  cases,  in  the  con- 
fined volume  of  a cargo  tank,  this  will  result  in  an  explosion  followed  by 
fire.  However,  for  hazards  analysis  purposes,  it  is  not  necessary  to  be  able 
to  forecast  the  precise  nature  of  the  combustion's  outcome.  It  is  defined 
to  fall  in  the  catastrophic  range  of  severity  in  any  case. 

As  previously  noted,  the  STUDY  VESSEL  has  27  cargo  tanks.  Of  these, 
13  normally  carry  petroleum  products;  these  are  always  some  form  of  fuel, 
such  as  automotive  or  aircraft  gasolines  of  all  commercial  grades,  jet  fuels 
or  heating  oils.  Four  of  the  tanks  carry  lubes  of  various  grades.  The  re- 
mainder are  used  for  a large  variety  of  solvents  and  other  chemicals. 

Nearly  all  of  these  cargoes  can  form  vapors  falling  in  the  explosive  range 
under  temperature  conditions  in  which  the  ship  operates.  The  logic  diagram 
was  developed  to  apply  singly  to  any  one  of  these  cargo  tanks.  If  a quan- 
titative solution  to  the  diagram  were  possible,  the  probability  calculated 
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for  the  top  event  "Fire  or  Explosion  in  a Cargo  Tank"  would  apply  to  some 
one  tank  selected  for  analysis.  To  get  the  probability  of  a fire  or  explo- 
sion in  any  cargo  tank,  one  would  have  to  sum  the  probabilities  for  all  the 
Individual  tanks.  Since  a qualitative  solution  is  being  sought  in  this 
study,  the  focusing  of  the  analysis  at  the  level  of  an  individual  tank  is 
considered  satisfactory  for  purposes  of  hazard  identification  and  description. 

In  this  analysis,  the  cargo  tank  hazards  were  studied  as  they  per- 
tained to  each  of  four  operating  conditions  of  the  vessel. 

• Transferring  cargo  to  or  from  the  ship  while  tied 
up  at  the  dock  (Phases  1 and  2) 

• The  southbound  trip  when  the  ship  is  underway,  un- 
loaded, at  sea  with  cargo  tank  cleaning/preparation 
operations  being  conducted  (Phase  9) 

• Cruising,  loaded  on  the  northbound  trip  (Phases  3, 

5,  and  6) 

• Underway,  unloaded  and  in  ballast  (Phases  4,  7, 
and  8) . 

This  division  was  found  necessary  because  the  sets  of  circumstances 
having  the  potential  to  cause  fires  or  explosions  in  the  tanks  differ  among 
these  operating  conditions.  In  the  design  of  the  logic  diagrams,  the  dif- 
ferent conditions  are  defined  for  the  branches  where  they  apply  by  the  use 
of  the  "house"  symbol  (see  definition  in  Appendix  D).  This  symbol  is  com- 
bined with  the  other  events  of  the  branch  under  an  AND  gate.  The  event  de- 
scribed in  this  symbol  is  a routine  aspect  of  the  operating  phase  involved; 
hence,  its  probability  is  essentially  unity  when  the  phase  is  being  conducted 
and  zero  when  it  is  not.  With  these  values,  the  event  acts  as  a mathematical 
switch  turning  the  branch  "on"  for  the  operating  phase  Involved  and  "off" 
for  all  other  phases. 

This  organization  of  the  cargo  tank  diagram  is  presented  in  Figure 
4-7  along  with  a full  development  of  the  "During  Cargo  Transfer"  branch. 

This  development,  and  the  three  others,  are  discussed  in  the  following  sub- 
sections. 
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FIGURE  4-7.  EVENT  PATH  D22-E21  DEVELOPMENT— "CARGO  TANK  FIRE  A/0  EXPLOSION 
DURING  CARGO  TRANSFER" 
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4.3.2. 1 Event  E21.  Cargo  Tank  Fire  or  Explosion  During  Cargo  Transfer. 

The  E- level  of  the  diagram  indicates  the  four  operating  conditions  to  be  de- 
veloped In  this  portion.  The  detailed  development  of  the  E21  branch  begins 
at  that  level  with  the  expected  presence  of  an  explosive  mixture  in  the  tank 
combined  with  an  Ignition  source.  The  diagram  notation  implies  that  there 

! 

will  always  be  an  explosive  mixture  present  in  the  tank  when  any  combustible 
material  is  being  loaded  or  unloaded.  This  is  not  strictly  true--in  some 
cases,  the  properties  of  a particular  cargo  and  the  temperature  conditions 
under  which  it  is  being  transferred  may  maintain  the  tank  in  the  over-rich 
or  under-rich  conditions.  For  purposes  of  safety  analysis,  however,  it  is  wise 
to  assume  an  explosive  mixture  is  always  present  during  this  operation. 

The  diagram  is  then  developed  to  show  the  ways  by  which  an  ignition  ■ 

could  occur.  At  the  G- level,  two  conditions  for  this  arc  named  but  one  is 
rejected  at  sight  since  the  investigating  team  could  think  of  no  way  by  which 
an  ignition  source  could  originate  inside  the  tank  during  cargo  transfer 
(this  is  the  reason  for  the  notation  on  that  event  that  its  probability  is 
essentially  zero).  Several  means  were  conceived  by  which  a flashback  into 
a tank  could  occur.  In  event  H51,  it  is  noteworthy  that  the  intended  mean- 
ing of  an  "open"  vapor  path  is  that  it  is  a continuous  path  for  vapor  from 
the  tank  to  the  open  deck  area  without  an  effective  flame  arrest  device  to 
cut  off  a flame  front  trying  to  propogate  into  the  tank.  In  considering  the 
different  ignition  source  possibilities  (the  J4x  event  group),  note  that  the 
probability  of  the  behavioral  items  (such  as  J41,  unauthorized  smoking)  is 
very  small  since  special  vigilance  is  observed  by  the  watchstanders  on  the 
STUDY  VESSEL  to  see  to  it  that  safety  precautions  and  good  practices  are 
observed  by  all  hands  during  loading  or  unloading.  For  example,  during  the 
first  night  of  the  observation  cruise  while  the  ship  was  completing  dis- 
charge of  cargo,  all  operations  were  stopped  when  an  electrical  storm  came 
up.  Smoking  discipline  appeared  to  be  excellent.  This  is  in  line  with  a 
basic  approach  to  fire  safety  during  cargo  transfer--prevent  the  ignition 
from  taking  place  since  vapor,  probably  in  the  explosive  range,  is  likely  to 
be  present  for  one  reason  or  another  during  these  operations. 
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4. 3. 2.2  Event  E22,  Cargo  Tank  Fire  and  Explosion  During  Tank 
Cleaning  and  Preparation.  The  tank  cleaning  and  preparation  phase  extends 
from  the  Initial  action  of  hose  vashdown  from  above  through  machine  washing, 
gas  freeing,  and,  finally,  entry  In  the  tank  of  working  parties  for  final 
cleaning  and  drying  If  circumstances  Indicate  the  need.  All  of  these  opera* 
tlons  are  routinely  performed  on  the  STUDY  VESSEL.  Each  of  these  aspects  of 
the  cleaning/preparation  operation  Is  attended  by  hazards. 

The  diagram  showing  these  hazards  Is  In  Figure  4-8.  The  upper 
level  portrays  the  basic  circumstance  of  an  Ignition  source  coming  Into  the 
tank  when  an  explosive  mixture  Is  present.  Again,  It  Is  not  strictly  Che 

case  Chat  an  explosive  mixture  Is  Inevitably  present  but  the  condition  is 

postulated  for  the  purposes  of  safety  analysis.  Note  that  two  of  the  events 
on  this  diagram,  Kll  and  J71,  are  developed  the  same  as  event  H52  (Figure 

4-7)  as  Indicated  by  the  transfer  symbols. 

4. 3. 2. 3 Event  E23.  Cargo  Tank  Fire  and  Explosion  Purine  Cruising 
Loaded.  In  this  part  of  the  diagram  (Figure  4-9)  the  presence  of  an  explo- 
sive mix  ure  In  Che  ullage  space  Is  postulated.  This  is  a rare  condition; 

In  most  cases,  Che  ullage  space  would  be  filled  with  an  over-rich  mixture 
and  no  combustion  could  occur.  However,  Che  occurrence  was  Judged  to  be  con- 
ceivable and  was  therefore  retained.  The  different  modes  by  which  an  igni- 
tion could  occur  are  Identical  to  those  under  event  F42;  this  Is  recognized 
In  this  diagram  by  the  transfer  symbol  attached  to  event  F63. 

4. 3. 2. 4 Cargo  Tank  Fire  and  Explosion  During  Cruising.  Unloaded 
and  In  Ballast.  The  implicit  assumption  in  this  portion  of  the  diagram 
(Figure  4 -10)  Is  that  the  tank  of  interest  Is  one  of  the  STUDY  VESSEL'S 
center  tanks  that  normally  carry  high  purity  chemicals.  These  tanks  are 
never  used  for  ballast.  Frequently,  because  of  changes  In  the  loading 
schedule  at  Che  southern  terminal,  they  require  very  thorough  cleaning  after 
which  they  are  closed  up  for  the  remainder  of  the  southbound  voyage.  It  Is 
this  closed  and  empty  condition  Chat  Is  the  subject  of  the  diagram.  The 
casualty  envisioned  Is  that  an  explosive  mixture  builds  up  in  the  empty  tank 
due  to  leakage  from  adjacent  spaces  or  the  product  piping  system  and  Is 
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FIGURE  4-9.  EVENT  PATH  E23  DEVELOPMENT- -"CARGO  TANK  FIRE 
AND/OR  EXPLOSION  DURING  CRUISING  LOADED" 


FIGURE  4-10.  EVENT  PATH  E24  DEVELOPMENT— "CARGO  TANK  FIRE  AND/OR 
EXPLOSION  DURING  CRUISING  UNLOADED  AND  IN  BALLAST 


ignited  by  flashback.  As  Indicated  on  the  diagram  by  the  transfer  symbol, 
the  flashback  events  are  the  same  as  event  F52  portrayed  in  Figure  4-7.  The 
former  event,  leakage,  is  of  extremely  low  probability  in  the  case  of  the 
STUDY  VESSEL  because  her  southbound  voyage  is  normally  done  with  no  cargoes 
aboard  at  all,  only  ballast,  so  there  would  be  no  combustible  material  to 
leak  in.  However,  she  does  occasionally  discharge  one  or  two  parcels  at  a 
second  terminal  during  the  southbound  voyage.  In  any  case,  it  was  decided, 
the  possibility  of  leakage  into  an  empty  cargo  tank  should  be  documented  in 
this  diagram. 

4.3.3  Topside  Area  Fire  and  Explosion  Study 

Hazards  potentially  leading  to  cargo  fires  on  the  STUDY  VESSEL'S 
topside  are  depicted  in  the  diagram  of  Figure  4-11.  The  accident  is  visualized 
as  resulting  from  the  simultaneous  occurrence  of  three  events.  First,  a sub- 
stantial spill  of  cargo  onto  the  main  deck  or  other  topside  area  occurs. 

Second,  the  spill  is  ignited.  Third,  the  means  at  hand  for  quickly  extin- 
guishing the  blaze  prove  to  be  ineffective  so  the  fire  is  able  to  burn  a 
significant  length  of  tlme--long  enough  to  damage  the  vessel  and  hazard  the 
crew.  The  diagram  shows  these  events  as  three  branches  proceeding  from  the 
top  accident  statement  through  an  AND  gate. 

The  "spill  occurs"  branch,  event  E31,  shows  three  general  ways  by 
which  cargo  might  be  released  to  the  main  deck  area.  The  first,  pipeline 
leakage,  is  a primary  failure  event  avoidable  through  proper  maintenance  of 
topside  piping.  The  second  is  a failure  in  the  cargo  transfer  system,  event 
F82;  it  can  occur  only  during  transfer  operations  as  Indicated  by  the  "housed" 
structure  in  the  branch.  The  basic  failures  underlying  this  event  are  either 
ruptures  or  overflows — mainly  personnel  errors.  The  third  spill  producing 
event,  F83,  is  a vessel  casualty  in  which  cargo  tanks  are  ruptured  as  a 
secondary  consequence  of  a collision,  a ramming,  or  other  vessel  casualty. 

This  event  is  not  developed  in  further  detail  in  this  analysis  since  it  is 
outside  the  cargo  system  scope  of  this  study. 

The  "ignition"  branch  consists  of  that  single  event,  E32,  depicted 
as  a primary  failure  and  not  developed  in  further  detail.  It  was  decided  to 
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FIGURE  4-11.  EVENT  PATH  D23  DEVELOPMENT- -"FIRE  OR  EXPLOSION  IN  TOPSIDE  AREA" 
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portray  the  branch  in  this  way  because  the  probability  of  an  ignition  given 
a spill  of  any  significance  is  high  and,  for  qualitative  safety  analysis 
purposes,  has  been  assumed  to  be  unity.  This  is  an  arbitrarily  conservative 
assumption  since  it  puts  the  full  responsibility  for  controlling  this  accident 
on  spill  avoidance  and  fire  fighting  means  and  gives  no  credit  to  the  measures 
taken  aboard  the  STUDY  VESSEL  to  suppress  ignition  sources  on  the  topside  area. 
The  assumption  is  not  intended  to  denigrate  the  importance  of  these  measures 
in  any  degree  or  to  refute  the  basic  approach  to  fire  safety  during  cargo 
transfer  operations  alluded  to  in  Section  4.3.2. 1.  It  merely  accounts  for 
the  fact  that  the  vapor  cloud  formed  when  a topside  spill  occurs  is  not  con- 
finable  or  controllable  in  any  way  and  will  tend  to  seek  out  any  ignition 
opportunities  that  may  exist  in  the  area  in  spite  of  the  best  efforts  made 
to  eliminate  them. 


The  structure  of  the  third  branch  developed  out  of  event  E33  is 
based  on  the  doctrine  aboard  the  STUDY  VESSEL  that  the  primary  means  of 
fighting  topside  cargo  fires  is  the  fixed  foam  system.  The  foam  system  would, 
of  course,  be  complemented  by  use  of  water  fog  and  CO2  in  accordance  with 
standard  procedures  for  fighting  Class  B fires.  However,  these  latter  two 
also  comprise  the  backup  system  for  fighting  the  fire  if,  for  some  reason, 
the  foam  system  is  inoperative  or  delayed  in  being  brought  into  action.  The 
branch  is  built  under  an  OR  gate  meaning  that  the  failure  of  any  one  of  the 
three  systems  renders  the  fire  fighting  effort  ineffective.  The  "foam  system 
ineffective"  branch  has  already  been  developed  as  event  E13  in  Figure  4-6. 


The  purpose  of  hazard  analysis  in  the  context  of  system  safety 
practice  is  to  assess  the  criticality  of  the  hazards  that  have  been  identi- 
fied. In  this  study,  the  basic  events,  depicted  on  the  logic  diagrams  as 
circles,  constitute  the  inventory  of  identified  hazards.  Each  of  these 
hypothesized  events  fits  the  classic  definition  of  what  a system  hazard  is. 


i.e.,  a condition  that  exists  or  could  occur  in  the  system  having  the 
potential  to  cause  an  accident.  In  this  case,  of  course,  this  Inventory  of 
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The  criticality  of  a hazard,  In  this  study,  is  measured  by  the 
relative  Importance  of  carrying  out  an  act  of  inspection  aimed  at  subduing 
or  eliminating  the  hazard.  Those  hazards  found  to  be  of  the  greatest  im- 
portance by  this  measure  would  be  in  the  top  category  of  the  SCP,  and  the 
corresponding  inspections  would  have  first  priority  on  the  inspector's  time 
and  resources.  A method  of  assessing  criticality  in  these  terms  had  to  be 
developed 

Ordinarily,  in  system  safety  analysis  activities,  hazard  critical- 
ity is  closely  related  to  the  idea  of  risk  where  risk  Is  thought  of  as  the 
product  of  the  probability  of  a particular  accident  and  its  cost.  This  pro- 
duct Is  the  expected  loss  in  a given  length  of  time  due  to  the  occurrence  of 
the  accident.  The  higher  the  expected  loss  or  risk  the  more  critical  the 
hazard  and  the  more  important  it  is  to  control  it  if  possible.  Thus  the 
control  of  a hazard  may  be  thought  of  as  a benefit  whose  value  is  the  change 
in  risk  (reduction  of  expected  loss)  accomplished. 

It  was  decided  that  the  most  useful  measure  of  hazard  criticality 
was  the  benefit  to  be  obtained  in  terms  of  risk  reduction  by  inspecting  and 
correcting  the  conditions  giving  rise  to  that  hazard.  Accordingly,  an 
assessment  procedure  was  developed  to  measure  this  benefit  for  each  hazard. 

In  developing  the  procedure,  the  project  te^m  recognized  at  the  outset  that 
it  would  have  to  be  a qualitative  one  since  probability  data  on  the  basic 
events  in  the  logic  diagram  are  virtually  non-existent.  Qualitative  methods 
of  assessment  involve  the  placing  of  items  in  arbitrarily  defined  categories 
with  respect  to  the  various  elements  of  criteria  involved;  no  deterministic 
calculations  can  be  made  to  facilitate  such  categorization.  It  is  essen- 
tial that  such  an  assessment  methodology  be  kept  as  simple  as  possible. 

Since  arbitrary  judgements  are  involved,  the  more  complex  the  method  the 
greater  are  the  opportunities  presented  for  plausible  but  arbitrary 
manipulation  of  the  results  and  the  less  credibility  is  likely  to  be 
attached  to  them.  Simplicity  in  such  methodologies  is  achieved  in  two  ways: 

1.  Keep  the  number  of  criteria  elements  to  be  applied 
and  integrated  to  a minimum. 

2.  Define  the  categories  into  which  the  evaluative  iteqis 
are  to  be  placed  in  physical  or  phenonenological  terms 
as  much  as  possible  so  the  choices  are  stark  and 
well-defined. 
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The  methodology  developed  for  this  criticality  evaluation  involved 
Judging  each  of  the  hazards  as  to  its  "inspectabillty"  and  then  cate- 
gorizing the  Inspectahle  hazards  as  to  three  criteria:  (1)  accident 
severity,  (2)  Impact  of  the  inspection  process  on  the  llklihood  of  the 
basic,  event,  and  (3)  the  number  of  events  in  the  accident  path. 

4. 3. 4.1  Inspectabillty.  Many  of  the  basic  events  in  the  logic 
diagrams  are  not  inspectable  for  one  reason  or  another,  that  is,  the 
conditions  which  would  have  to  exist  to  cause  the  event  are  either  not 
detectable  by  inspection  or  inspection  has  no  power  to  reduce  the  prob- 
ability of  the  event's  occurring  in  the  future  (or  both).  An  example  is 
the  event  of  a cargo  pump  overheating  through  being  allowed  to  lose 
suction  and  run  vapor-bound  so  as  to  become  a possible  ignition  source. 

A Coast  Guard  inspector  conducting  a regular  inspection  of  a vessel  has  no 
way  of  detecting  the  possible  future  occurrance  of  that  condition — it  is 
purely  a function  of  correct  machinery  operating  procedure  on  the  part  of 
the  crew.  The  risk  involved  with  such  events  can't  be  affected  by  inspec- 
tion hence  no  benefit  is  possible.  Thus,  hazards  categorized  as  not 
inspectable  were  dropped  from  this  evaluation  process.  This  does  not  mean 
that  such  hazards  are  unimportant.  Indeed,  many  hazards  that  can't  be  in- 
spected for  are  more  significant  to  the  vessel's  safety  than  the  ones  that 

I 

can  be.  It  merely  means  that  uninspectable  hazards  are  not  relevant  to  this 
particular  study. 

4. 3. 4. 2 Accident  Severity.  Accidents  do  not  have  equal  severity. 
As  was  discussed  in  connection  with  the  PHA  (Section  4. 2. 1.5),  the  damage 
and  loss  expectation  is  more  severe  with  some  accidents  than  others.  Hazards 
leading  to  the  more  severe  accidents  were  judged  to  be  correspondingly  more 
critical,  all  other  things  being  equal. 

In  formulating  this  criterion  for  use  in  assessing  the  logic 
diagram  hazards,  the  same  scheme  of  categorization  shown  in  Table  4-1  was 
employed  except  that  some  simplification  proved  to  be  both  possible  and 
necessary.  In  that  table,  categories  III  and  IV  were  subdivided  by  party-at- 
risk  exposure  levels.  These  subdivisions  relate  directly  to  where  the 
vessel  is  when  she  experiences  an  accident.  If  she  has  an  explosion  at 
sea  where  only  the  vessel  and  crew  are  at  hazard,  the  accident  is  categorized 
as  IV  A.  If  the  same  accident  occurs  while  the  ship  is  tied  at  the  dock  in 
a populous  port  the  public  and  public  property  are  also  hazarded  along  with 
the  close  in  marine  environment.  In  this  case  the  hazard  category  is  IV  C, 
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two  levels  more  severe  than  in  the  former  case. 

This  fine-graining  of  the  hazard  categories  was  necessary  in 
conducting  the  PHA  where  one  of  the  purposes  was  to  spot  the  high-risk 
portions  of  the  vessel's  operating  cycle.  However,  in  the  case  of  the 
present  assessment,  these  operating  cycle  differences  have  no  meaning. 

An  act  of  inspection  aimed  at  preventing  a certain  type  of  explosion,  if 
successful,  will  prevent  it  for  a year  or  more  during  which  time  the  ship 
passes  through  all  possible  operating  phases  many  times.  The  criticality 
of  the  explosion  relative  to  the  inspection  act  preventing  it  is  insensitive  to 
operational  phase  and  the  parties-at-risk  variations  involved.  Accord- 
ingly, only  the  4-part  base  categorization  scheme  which  describes  the 
inherent  severity  or  violence  of  the  accident  regardless  of  location  was 
used  in  this  assessment.  Furthermore,  category  I,  negligible,  was  dropped 
leaving  three  levels  of  severity  to  be  considered. 

4 . 3 . 4 . 3 Ev  It  Probability  Impact.  The  fundamental  purpose  of 
conducting  an  act  of  inspection  is  to  alter  the  probability  of  occurrence 
of  the  failure  event  involved.  If  an  inspector  discovers  excess  plate 
wastage  in  a vessel's  hull  it  can  be  interpreted  as  meaning  the  probability 
of  structural  failure  in  the  near  future  (within  the  time  of  the  oncoming 
inspection  interval)  is  unacceptably  high.  If  he  requires  that  the  condition 
be  corrected  by  installing  new  plating  (restoring  the  vessel  structure  to 
design  strength  conditions)  then  the  probability  of  the  failure  has  been 
greatly  reduced.  Indeed,  it  has  been  made  essentially  zero  for  the  ensuing 
inspection  Interval.  This,  of  course,  constitutes  a major  Impact  on  that 
event's  probability.  Making  such  an  impact  is  really  the  only  way  the 
inspection  process  can  produce  benefits  of  the  kind  discussed  earlier  in 
section  4.3.4.  The  criterion  applied  here,  then,  is  the  relative  magnitude 
of  this  benefit  that  can  be  obtained  by  a given  act  of  inspection  related 
to  a given  hazard. 

To  assess  this  with  respect  to  a given  hazard,  it  was  necessary 
to  develop  a qualitatively  defined  set  of  Impact  categories  into  which  the 
hazard  can  be  fitted  by  considering  the  nature  of  the  indicated  Inspection 
procedure  and  the  mode  of  degradation  leading  to  the  occurrence  of  the 
event.  Three  descriptors  of  such  categories  were  developed. 
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• Maximum  Impact.  The  greatest  Impact  on  event  failure  probabil- 
ity results  when  the  probability  of  the  event  without  Inspec- 
tion Is  essentially  one  and  the  act  of  Inspection  changes  the 
probability  to  essentially  zero  for  the  period  of  the  ensuing 
Inspection  Interval.  This  occurs  when  the  failure  event  Is 
brought  about  through  the  action  of  a time-stress  function 
such  as  atmospheric  corrosion  (probability  of  one  If  the 
degradation  process  Is  not  Interrupted),  and  the  Inspection 
process  Is  capable  of  detecting  the  condition  accurately  and 
requiring  full  restoration  to  the  design  condition  by  a means 
that  Is  permanent  and  Intrinsic  In  the  material  makeup  of  the 
vessel.  An  obvious  example  of  this  kind  of  Impact  Is  the  one 
mentioned  above  where  wasted  plating  is  replaced.  The  "fix" 

is  a permanent  part  of  the  structure  of  the  ship  and  is  not 
dependent  in  any  way  on  the  crew's  observing  correct  operat- 
ing procedures,  avoiding  of  human  error,  or  the  like.  The 
inspection  process  exerts  full  control  over  the  hazard  inde- 
pendently of  any  other  agencies  or  actors. 

• Moderate  impact.  Inspection  can  effect  a moderate  reduction 
of  the  probability  of  a failure  event  where  the  failure  will 
result  from  improper  maintainence  or  operation  that  has 
already  caused  a detectable  amount  of  degradation.  The  in- 
spector can  require  that  the  observed  condition  be  rectified 
and  In  so  doing  can  exert  pressure  on  the  ship's  officers  and 
crew  to  carry  out  proper  procedures.  An  example  of  this 
type  of  condition  would  be  the  discovery  of  CO2  extinguishers 
not  properly  charged,  excessive  product  drippings  in  the  pump 
room  b’ges,  or  cargo  tank  wash  hose  with  Inadequate  provi- 
sions for  grounding.  The  inspection  process  can  detect  many 
such  conditions  where  they  show  up  as  material  defects.  How- 
ever, the  inspection  process  does  not  have  full  control  of 
these  hazards  since  this  will  depend  on  the  crew's  using 
correct  operating  procedures  in  the  future. 
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Minimal  impact.  The  Inspection  process  can  expect  to  have 
only  small  impact  on  the  probability  of  a failure  event 
whose  probability  is  logically  small  to  begin  with.  A 
failure  resulting  from  an  error  in^^^  original  construc- 
tion of  the  ship,  for  example,  w5uld  be  of  low  probability 
because  the  condition  had  already  been  checked  for  at  the 
time  of  construction.  Thus,  it  is  unlikely  that  an  inspec- 
tor working  on  a ship  that  has  been  in  operation  for  some 
time  would  find  the  safety  lamps  in  the  pump  room  lower 
level  to  be  Improperly  installed.  In  addition,  hazards 
were  placed  in  this  impact  category  when  there  was  a 
serious  question  as  to  whether  or  not  the  condition  could 
be  detected  by  inspection.  The  sudden  failure  of  a cargo 
transfer  hose  because  of  fatlque  of  Internal  parts  might 
fall  in  this  category. 


1 

I 


J 


54 


4.3.4. 4 Number  of  Events  In  Accident  Path.  The  number  of  failure 
event  paths  Involved  in  any  given  accident  can  be  readily  determined  by  in- 
spection of  the  logic  diagram  depicting  it.  An  accident  that  can  be  caused 
by  a single  failure  event  is  more  probable  than  one  that  can  result  only  if 
two  or  three  independent  failure  events  occur  simultaneously.  It  follows 
from  this  that  failures  in  a single  event  path  are  more  critical  than  those 
in  multiple  event  paths.  It  is  this,  incidently,  that  leads  to  the  safety 
engineer's  rule  of  thumb  that  relatively  dangerous  situations  are  represen- 
ted by  logic  diagrams  having  OR  gates  high  in  the  structure,  whereas  re- 
latively safe  situations  exist  when  there  are  AND  gates  there.  In  the 
present  study,  the  pump  room  and  topside  logic  diagrams  depict  three-event 
accidents  whereas  the  cargo  tank  diagram  involves  a single-event  accident. 

Because  of  this  the  basic  events  in  the  first  two  diagrams  are  of  relatively 
lower  criticality  than  the  ones  in  the  latter. 

4. 3. 4. 5 Integration  of  Criteria.  For  each  hazard,  the  criteria 
levels  were  combined  directly  and  the  hazard  was  then  located  as  to  critical- 
ity in  a grouped  rank-ordering.  The  most  critical  hazard  would  be  one  capable 
of  triggering  a category  IV  accident  by  itself  due  to  progressive  corrosion 
of  some  vital  part  ol  the  ship.  The  next  lower  level  of  criticality  would  be 
assigned  that  hazard  if  it  was  in  one  lower  category  with  respect  to  any  one 

of  the  three  criteria  discussed  above.  As  a matter  of  convenience  in  keeping  , 

1 

track  of  the  evaluations  for  each  hazard,  numerical  values  were  assigned  to 
all  the  criteria  levels,  the  most  critical  being  represented  by  one  and  the 
least  by  three.  The  example  mentioned  above  would  have  a one  for  each  cat- 
egory giving  an  integrated  number  of  three.  These  numbers  have  no  significance 
except  as  they  act  as  surrogates  for  the  names  of  assessment  categories. 

Table  4-2  indicates  the  criticality  ranking  values  chosen  for  the 
SCP  and  the  assessment  combinations  falling  in  each  one.  Tliree  ranking 
levels  were  selected. 

• Mandatory — Indicated  inspection  item  is  important 
enough  that  it  must  always  be  inspected. 

• Critical--lndlcated  inspection  item  is  of  intermediate 
level  importance  mainly  because  hazard  is  less  subject 
to  control  through  the  inspection  process. 
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TABLE  4-2.  CRITICALITY  ASSESSMENT  COMBINATIONS 


SCP  Ranking 

Criteria  Level  Combinations 

Mandltory 

Numerical  combinations 
4 or  less 

summing  to 

Critical 

Numerical  combinations 
5 

summing  to 

Routine 

Numerical  combinations 
6 or  greater 

summing  to 

• Routine--inspect  on  a routine  basis  but  no  priority 
is  attached  either  because  the  hazard  involved  is  of 
lower  severity  or  because  the  inspection  process 
exerts  little  control  over  the  hazard. 

More  levels  with  a finer-grained  variation  among  them  could  have 
been  defined  for  this  evaluation.  However,  this  would  have  had  little  prac- 
tical meaning  for  the  inspection  process;  it  will  be  difficult  enough  for  an 
inspector  to  recognize  two  levels  of  prioritization  beyond  routine,  let  alone 
three  or  more . 

The  numerical  assessment  combinations  shown  in  Table  4-2  were  arbi- 
trarily chosen  after  the  hazards  discovered  in  this  study  had  been  tabulated 
in  order  of  relative  importance.  These  break  points  for  the  different  levels 
yield  a satisfactory  distribution  and  reflect  significant  steps  in  the  three 
"importance  criteria". 

4.3.4.  6 Assessment  of  Hazards.  Table  4-3  shows  the  criteria 
assessments  and  criticality  class  assignments  made  for  each  of  the  basic 
events  in  the  fire  or  explosion  diagrams  for  the  pump  room,  cargo  tanks,  and 
topside  areas.  The  first  column  shows  a brief  description  of  the  inspection 
action  deemed  appropriate  for  each  hazard  listed.  The  remaining  columns  show 
criteria  evaluations  and  class  assignments. 


56 


TABLE  4-3.  HAZARD  CRITICALITY  ASSESSMENT 


Basic  Event 

Accident 

Inspection  Action  Severity'*^ 

No.  of 
Parallel 

Event  Events  in 

Probability  Accident 
Impact  Path^*^) 

SCP 

Classi- 

fication 

mi. 

Pump  room  vent 
motor  electri- 
cal malfunction 

Inspect  (megger  and 
visual)  for  insulation 
deterioration  or  other 
conditions  leading  to 
spark  generation 

1 

1 

3 

Critical 

m2. 

Electrostatic 
discharge  in 
pump  room 
exhaust  duct 

Visual  Inspection  for  de- 
graded conditions  in  due- 
work  (corrosion,  cracking) 
leading  to  the  presence  of 
loose  metallic  objects  in 
the  exhaust  ducting 

1 

1 

3 

Critical 

H13. 

Friction  spark  Ditto 
in  pump  room 
exhaust  duct-- 
forclgn  or  loose 
object 

1 

1 

3 

Critical 

G21. 

Broken  lamp 
cover  in  pump 
room 

Visual 

1 

1 

3 

Critical 

G22. 

Incorrectly 
installed  lamp 
cover 

Ditto 

1 

3 

3 

Routine 

G31. 

Vapor  bound 
cargo  pump 

Not  inspcctable-*speclf ic 
operational  conditions 

•• 

• • 

•• 

V 

G32. 

Tight  packing 
in  cargo  pump 

Operational  check 
i 

1 

2 

3 

Routine 

G33. 

Cargo  pump 

bearing 

overheated 

Operational  check 

1 

2 

3 

Routine 

C34. 

Hot  lamp  cover 

Visual  and  touch 

1 

1 

3 

Critical 

G41. 

Dropped  tools 
in  pump  room 

area 

Not  inspectable — operating 
procedure 

• • 

■■ 

• • 

C42. 

Nails  in  shoes  Ditto 

worn  by  men  enter- 
ing pump  room 

■■ 

” 

• • 

C43. 

Inadequately  scaled  " 

• • 

— 

-- 

flashlights  carried 
by  sien  entering 
pump  room 


(a)  1 - catastrophic,  2 - critical.  3 * negligible. 

(b)  1 - Mximum  impact,  2 - moderate  impact,.  3 - minimal  impact. 

<c)  1 - single-event  path,  2 - two-event  path,  3 - tiiree  or  more  event  path. 
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TABLE  4-3.  (Continued) 


No.  of 


Basic  Event 

Accident 

Inspection  Action  Severity 

Parallel 

event  Events  in 

Probability  Accident 
Impact  k**)  Path^*^^ 

SCP 

Classi- 

fication 

C44. 

Ungrounded  Uninspectable-- 

power  tools  in  operating  procedure 

use  in  pump  room 

— 

— 

— 

CAS. 

Improperly 
stowed  items 

In  pump  room 
come  adrift 
and  drop 

Check  for  improper  use 
of  pump  room  as  a 
stowage  area 

1 

3 

3 

Routine 

FIS. 

Unauthorized 
smoking  in 
pump  room 

Essentially  unlnspectablc. 
Observe  discipline  of 
vessel  crew--visually 
check  "no  smoking"  sign- 
age aboard  vessel 

F21. 

Large  contain- 
sient  failure  in 
pump  room 

Inspect  for  wastage  in 
piping,  fittings,  and 
tank  structure  in  pump 
room  and  contiguous 
spaces 

1 

1 

3 

Critical 

GSl. 

Cargo  pump 
packing  failure 

Operational  inspection 
plus  maintenance  check 

1 

2 

3 

Routine 

GS2. 

Pinhole  in 
pressure  system 
part  (pump 
room) 

Inspect  piping  and 

fittings  including  gage 
lines  and  other  small, 
pressurized  systems 

1 

2 

3 

Routine 

H21. 

Human  error-- 
vent  system 
not  turned  on 

Not  lnspectable--opcraClng 
procedure 

1 

H31. 

Drip/dr<iin  Inspect  for  actual 

accumulation  accumulation  or  evidence 

of  product  in  of  past  accumulations 

pump  room  bilges 

1 

2 

3 

Routine  ' 

i 

i 

H32. 

Small  contain- 
ment failure 

Inspect  for  small  leaks 

1 

2 

3 

Routine  1 

Jll. 

Pump  room  . 
exhaust  vent 
motor  failure 

Operational  and  visual 
check  of  feeder,  con- 
troller and  motor 

1 

1 

3 

Critical 

! 

i 

(a)  1 - cataatrophlc,  2 - critical,  3 - negligible. 

(b)  1 - Baxlmum  lopact,  2 - noderate  Impact,  3 - nlnlmal  Impact. 

(c)  1 - single-event  path,  2 - two-event  path,  3 - three  or  more  event  path 
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TABLE  4-3.  (Continued) 


B«slc  Event 


Inspection  Action 


Ho.  of 

Parallel  g-p 
Event  Events  In 

Accident  Probability  Accident  Classi- 
Severity^®^  Impact^**)  Path^'^  ficatlon 


J12. 

Pump  room 
exhaust  vent 
ducting  failure 
causing  short 
circuit 

Inspect  for  wastage  in 
all  parts  of  the 
ducting  system 

1 

1 

3 

Critical 

C71. 

Insufficient 
charge  of  foam 
in  fixed  foam 
generator 

Operational  check  of 
foam  generator 

1 

1 

3 

Critical 

072. 

Electrical 

equipment 

malfunction 

Operational  inspection 
of  foam  system  plus 
inspection  of  feeders 
and  controllers  with 
siegger  test  of  system 

1 

1 

3 

Critical 

073. 

Foam  generator 
piping  Jammed 
due  to  improper 
cleanup  after 
test 

Inspect  for  proper 
cleanup  after  test 

1 

1 

3 

Critical 

081. 

Connunication  Unlnspectable-* 

failure--waccr  operational  procedure 

pressure  and/or 

electric  power 

to  foam  gener- 

erator  not 

properly  lined  up 

083. 

Fire  not 
observed  in 
tisie 

Hot  inspectablc- -human 
performance 

H41. 

Untrained 
personnel  on 
scene 

Not  Inspectable — 
function  of 
training  program 

J21. 

Inadequate 
marking  (of 
piping  and  con- 
trols of  the 
fixed  foam 
system) 

Visual  inspection 

1 

1 

3 

Critical 

(a)  1 - catastrophic,  2 - critical,  3 - negligible. 

(b)  1 - naximum  ioipaet,  2 - moderate  impact,  3 - miniotal  impact. 

(c)  1 - single-event  path,  2 - two-event  path,  3 - three  or  more  event  path 


TABLE  4-3.  (Continued) 


Basic  Event 

Accident 

Inspection  Action  Severity 

Event 

Probability 

Impact 

No.  of 
Parallel 
Events  in 
Accident 
Path 

SCP 

Classi- 

fication 

J22. 

Excessive  com-  Not  lnspectablc--funct Ion 
plexity  (of  pro-  of  design  and  state  of 
ccdurcs  to  actl-  training 
vate  foam  system) 

•- 

•• 

•- 

•• 

G91. 

Ignition  source  No  Inspection  procedure 
originates  In-  definable 

side  cargo  tank 
during  cargo 
transfer  opera- 
tions— probability 
approximately  0 

J31. 

PV  valve 
piping  leaks 

Inspect  piping  for  material 
condition  and  incipient 
failure 

1 

1 

2 

Mandatory 

J32. 

Ullage  fitting 
open  by  error 

Not  Inspectable-'human 
performance 

-- 

•• 

•- 

J33. 

Ullage  fitting 
open  due  to 
damages 

Inspect  ullage  fittings 

1 

2 

2 

Critical 

J34. 

Remote  valve 
operator  stuf- 
fing box  open 

Inspect  stuffing  boxes 

1 

2 

2 

Critical 

J35. 

Welded  feature 
penetration 
(i.e. , piping) 
wasted  to  open 
condition 

Inspect  for  wastage 

1 

1 

2 

Mandatory 

J36. 

Tank  hatch  not 
properly  closed 
due  to  error 

Not  inspectable--human 
performance 

J37. 

Tank  hatch  not 
properly  closed 
due  to  damage 

Inspect  hatches  and 
chuck  function 

1 

2 

2 

Critical 

J38. 

Dcepwell  pump 
penetration 
open  due  to 
damage 

Inspect  all  penetrations 

1 

1 

2 

Mandatory 

J41. 

Unauthorized 
smoking  on 
aialn  deck 

Not  lnspectablc--functlon 
of  training.  Indoctrina- 
tion, and  discipline 

• * 

(a)  1 • catastrophic,  2 - critical,  3 - negligible. 

(b)  1 - maxltLum  Impact,  2 - otoderatc  Impact,  3 - minimal  Impact. 

(c)  1 - single-event  path,  2 - two-event  path,  3 - three  or  more  event  path. 
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TABLE  4-3.  (Continued) 


Basic  Event 

Inspection  Action 

Accident 

Severity 

No,  of 
Parallel 

Event  Events  in 

Probability  Accident 
Impact  Path^') 

SCP 

Classi- 

fication 

J42. 

Hotspots  from 
use  of  portable 
otachlnery 

Not  Inspectable-- 
opc rating  procedure 

— 

— 

— 

— 

J43. 

Spark  from  use 
of  ungrounded 
powered  devices 

Ditto 

J44. 

Electrical 
faults  In  cargo 
deck  wiring  or 
deepwell  pump 
siotors 

inspect  and  megger 
circuits/equipment 

1 

2 

2 

Critical 

J45. 

Friction  spark 
from  dropped 
tools,  nails  In 
shoes,  etc. 

Not  Inspectable-- 
ope rating  procedure 

J46. 

Lightening 

discharge 

Ditto 

•• 

•• 

•• 

•• 

J51. 

Tank  wash  hose 
ungrounded 

Check  hose  for  proper 
grounding  provisions 

1 

2 

2 

Critical 

JS2. 

Object  dropped 
through  hatch 

Not  inspcctable--operating 
procedures--statc  of 
training 

K12. 

Explosive  mix- 
ture at  hatch 

Not  lnspectable--tran8lent 
operational  condition 

•• 

•• 

•• 

H62. 

Electrostatic  Ditto 

charge  In  mist 
(during  machine 
washing  of  tanks) 

J61. 

Ungrounded 
object  In  tank 
(during  machine 
washing) 

Not  Inspectable- -operating 
condition 

J62. 

Natural  discharge  Ditto 

In  tank  (during 
machine  washing) 

J72. 

Spark  from  ungrounded  " 

blower  (during  gas 
freeing) 

• • 

as* 

(a)  1 - catastrophic,  2 • critical,  3 - negligible. 

(b)  1 - maxlnuD  Impact,  2 - moderate  Impect,  3 - minimal  loipact. 

(c)  1 - slngle'cvent  path,  2 - two-event  path,  3 - three  or  more  event  path. 
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TABLE  4-3.  (Continued) 


Basic  Event 

Accident 

Inspection  Action  Severity^®) 

No.  of 
Parallel 

Event  Events  In 

Probability  Accident 

Impact  (b)  Path^*^^ 

SCP 

Classi- 

fication 

H 2.  Pocket  of  com-  Not  lnspcctable--opcra- 
bustlblc  product  tlonal  procedure 
remaining  in 
tank 

“ 

— 

— 

— 

J81.  Improper  clothing  Ditto 

or  shoes  cause 
spark  (during  manual 
tank  cleaning) 

J82.  Dropped  tools 

Not  inspectable--opera- 

tlonal/behaviorlal  factors 

-• 

•- 

-- 

•• 

F62.  Explosive  mix- 
ture In  ul lage 

Not  lnspectable--opera- 
tlonal  condition 

— 

-- 

-- 

-- 

Space 

C112.  Inadequate  Not  lnspectable--opcra- 

tank  cleanup  tlonal  procedure 

(during  cruising 
unloaded) 

HlOl.  Valve  leak 

Inspect  tank  lines  for 
evidence  of  leakage 

1 

2 

2 

Critical 

H102.  Tank  bulkhead 

leak 

Inspect  tank  structure  for 
cracks,  wastage,  evidence 
of  Incipient  failure 

1 

1 

2 

Mandatory 

F81.  Leak  In  cargo 
deck  piping 

Inspect  for  wastage  and 
evidence  of  leaks 

1 

1 

2 

Mandatory 

Hill.  Hose  rupture 
(during  cargo 
transfer 
operations) 

Inspect  vessel  hose  plus 
check  of  dockside  hose. 

1 

3 

3 

Routine 

Hll2.  Tank  overflow 

Not  lnspcctable--opera- 
tlonal  procedure 

•• 

•• 

•• 

HI 13.  Drip  pan  over- 
flow 

Ditto 

•• 

•• 

•• 

•• 

H114.  Ruptured  deck 
piping 

Inspect  for  wastage  and 
evidence  of  Incipient 
failure  under  pressure 

1 

3 

3 

Routine 

Hi 13.  Drip  pan 
leakage 

Inspect  drip  pans 

1 

1 

3 

Critical 

(e)  1 * catastrophic,  2 - critical,  3 - negligible. 

(b)  1 - uxlmum  Impact,  2 - moderate  impact,  3 • minimal  Impact. 

(c)  1 - single-event  path,  2 - two-event  path,  3 • three  or  more  event  path. 


TABLE  4-3.  (Continued) 


Basic  Event 

Accident 

Inspection  Action  Severity^®) 

Mo.  of 
Farallcl 

Event  Events  in 

Probability  Accident 
Impact  Path^®^ 

SCP 

Classi- 

fication 

C131. 

Fire  in.iln 
rupture 

Operational/vxsual  inspec- 
tion of  fire  main  piping 
and  fittings 

1 

1 

3 

Critical 

G132. 

Fire  pump 
failure 

Operational/visual  inspec- 
tion of  pump,  motor, 
controller  plus  megger 
test 

1 

1 

3 

Critical 

G133. 

Fire  main  not 
properly 
lined  up 

Not  inspectable--opera- 
tlonal  procedure 

■■ 

G134. 

Inadequate 
training  of 
crew  at  hand 

Not  lnspectablc--tralnlng/ 
awareness  level 

G135. 

Equipment  not 
properly  laid 
out  ffog  nozzles 
hose,  etc.) 

Not  inspectable--operatlng 
procedure 

J » 

G141. 

Depicted  charge 
(CO2  equipment) 

Check  charge  level  during 
inspection 

1 

2 

3 

Routine 

G142. 

Equipment  not 
in  place  (CO2 
portable 
equipment 

Not  lnspectable--opcratlng 

(a)  1 - catastrophic,  2 - critical,  3 - nesllgible. 

(b)  1 - maxiraum  impact,  2 - moderate  Impact,  3 - minimal  Impact. 

(c)  I * single-event  path,  2 - two-event  path,  3 - three  or  more  event  path. 


The  SCP  extracted  from  this  analysis  is  portrayed  in  Figure  4-12. 

It  is  arranged  as  a screen  format  to  illustrate  how  the  SCP  might  be  presented 
to  a user  of  VIIS.  In  constructing  this  figure,  the  items  from  Table  4-3 
falling  in  the  "mandatory"  and  "critical"  categories  were  grouped  into  logical 
inspection  items  wherever  such  grouping  was  possible.  For  example.  Items  G12, 
G13,  and  J12  in  the  "critical"  class  all  are  concerned  with  failures  occurring 
in  the  pump  room  exhaust  vent  system.  They  were  regrouped  as  shown  for  inclu- 
sion in  the  SCP.  In  addition,  each  item  was  restated  so  as  to  specify  the 
type  of  degradation  to  be  inspected  for  (the  "inspection"  column)  and  the 
failure  to  be  controlled  by  the  inspection. 


FIGURE  4-12.  SAFETY  CRITICAL  PROFILE 
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4.4  HAZARD  MODE  AND  EFFECT  ANALYSIS 


The  HMEA  carried  out  in  this  study  had  the  same  purpose  as  the 
logic  diagram  analysis  just  presented,  namely,  to  identify  hazards  of  fire 
or  explosion  in  the  STUDY  VESSEL'S  cargo  system  and  to  assess  those  hazards 
as  to  inspection  criticality.  The  HMEA  technique  involves  approaching  this 
task  at  the  component  or  subsystem  level.  One  lists  all  the  components  and 
subsystems  comprising  the  system  of  interest,  postulates  hazardous  failures 
that  might  occur  in  each,  and  then  traces  the  effects  of  each  such  failure 
through  the  system  to  determine  what  type  and  severity  of  accidents  might 
result  from  the  failure.  Criticality  assessment  of  each  hazardous  failure 

possibility  is  then  made  on  the  basis  of  the  evidence  thus  assembled.  ] 

! 


The  HMEA  process  is  not  conducted  in  a framework  of  mathematical 
rigor;  rather,  it  is  highly  descriptive  in  nature  and  gives  the  analyst 
somewhat  more  freedom  to  exercise  judgment  as  he  proceeds  through  the  various 
steps.  Also,  the  tabular  format  on  which  the  analysis  is  recorded  is  not 
rigidly  prescribed.  The  analyst  is  free  to  decide  what  evidence  about  fail- 
ures is  required  to  support  the  particular  decisions  he  intends  to  draw  out 
of  the^  HMEA  process.  The  steps  carried  out  in  an  HMEA,  then,  are  (1)  develop 
the  list  of  components/subsystems  comprising  the  system  to  be  investigated, 

(2)  design  an  HMEA  foniat  suiting  the  needs  of  the  particular  analysis,  and 

(3)  carry  out  the  analysis. 


4.4.1  Components  and  Subsystems  Analyzed 


The  STUDY  VESSEL'S  cargo  system  was  briefly  described  in  Section 
2.1  and  covered  in  greater  detail  in  the  discussion  and  figures  of  Appendix 
A.  In  preparing  to  perform  this  HMEA,  it  was  decided  to  organize  the  listing 
of  items  to  be  studied  in  accordance  with  the  general  breakdown  listing  of 
vessel  systems  presented  in  Appendix  B.  Figure  4-13  shows  the  resultant 
listing  tailored  to  the  particular  systems  and  components  aboard  the  STUDY 
VESSEL. 
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Leve 1 I 


9.  Cargo 
System 


Level  II 


1 . Cargo 

Environment 

Control 


2.  Containment 
System 


3.  Transfer 
System 


Level  III  and  Listings 


1.  Pressure  Control 

• PV  valves 

• Flame  screens 

• PV  valve  piping 


2.  Temperature  Control 

• Steam  heating  coils 


1.  Primary  Containment 

• Cargo  tank  structural 
envelope --bulkheads 

• Cargo  tank  structure-- 

tank  top  (main  deck  plating) 

• Ullage  openings/closure 
fittings 

• Hatches 


1.  Cargo  Unloading/Loading 

• Deck  piping/valves 

• Tank  piping/valves 

• Main  cargo  pumps 

2.  Pump  Room 

• Pump  room  piping/valves 

• Pump  room  lighting 

• Pump  room  exhaust  vent 
system 


FIGURE  4-13.  COMPONENT/SUBSYSTEM  LISTING  FOR  HMEA 
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4.4.2  Development  of  the  HMEA  Format 


A 13-column  format  was  developed  for  this  HMEA.  The  columns, 
moving  from  left  to  right,  form  a succession  of  information  citations  and 
intermediate  conclusions  about  the  particular  failure  and  its  impact  on  the 
system.  These  are  used  by  the  analyst  in  deciding  about  the  inspection 
criticality  of  the  failure,  a decision  recorded  in  the  right  end  column. 

The  basic  reasoning  behind  this  decision  was  identical  to  that  used  in  assess- 
ing failure  event  criticality  in  the  logic  diagram  analysis,  namely,  criti- 
cality is  a function  of  three  aspects  of  a failure:  (1)  severity  of  the 
accident  threatened,  (2)  impact  of  Inspection  on  the  probability  of  the 
failure,  and  (3)  number  of  simultaneous  events  required  to  cauce  the  acci- 
dent. The  conventions  used  in  entering  the  columns  are  described  in  the 
following  subsections. 


4. 4. 2.1  Column  1.  "Hazard  Mode".  This  column  identifies  the  top- 
level  hazard  category  to  which  the  analysis  is  intended  to  pertain.*  In  the 
present  case,  this  entry  is  always  "fire  or  explosion,  cargo  system"  since 
the  study  has  been  scoped  to  cover  only  that  topic. 


4.4. 2.2  Column  2.  "Item".  In  this  column,  the  component  or  sub- 
system whose  potential  failures  are  to  be  investigated  is  named. 


4.4.?. 3 Column  3.  "Subsystem".  In  this  column,  the  name  of  the 
vessel  subsystem  of  which  the  item  forms  a part  is  named.  The  vessel  sub- 
systems in  this  case  are  indicated  by  the  Level  II  and  Level  III  nomencla- 
ture from  Figure  4-13. 


* It  is  the  presence  of  this  column  in  the  format  that  makes  this  analysis  a 
hazard-mode-effect  analysis  rather  than  a traditional  failure-mode-effect- 
analysis  as  practiced  by  reliability  engineers.  In  fact,  an  HMEA  is  an 
FMEA  except  that  the  left  hand  column  restricts  the  study  to  only  those 
failures  that  could  bring  about  the  specified  hazard.  The  reliability 
engineer  explores  all  consequences  of  a failure  that  could  result  in  un- 
reliable performance.  The  safety  engineer  explores  only  those  that  would 
bring  about  unsafe  system  performance. 


A. 4. 2. 4 Column  4,  "Function*'.  In  this  column,  the  item's  function 
is  briefly  described.  If  the  item  has  many  functions,  then  it  is  only  neces- 
sary to  note  those  which  have  safety  relevance.  However,  it  is  sometimes 
difficult  to  know  in  advance  which  ones  are  safety  relevant  and  which  are 
not--the  conservative  analytical  approach  is  to  note  them  all. 

4.4.2. 5 Column  5,  "Failure/Error",  In  this  column,  the  specific 
failure  or  procedural  error  to  be  investigated  is  recorded.  If  the  item  has 
more  than  one  failure  mode  of  concern  to  the  analysis,  each  is  recorded  sep- 
arately since  each  failure  mode  starts  a separate  analysis. 

4.412.6  Column  6,  "Cause".  Tlie  cause  is  the  failure  nec-honisrc — 
i.e.,  excess  loading  condition,  corrosion  degradation,  failure  to  observe 
operating  procedures — which  could  bring  about  the  postulated  failur*.  This 
is  a particularly  important  entry  in  this  analysis  because  it  indicates  the 
"inspectability"  of  the  failure  being  studied;  this  quality  is  one  o^  the 
final  assessment  criteria.  If  there  are  several  possible  causes  of  the 
failure,  all  should  be  recorded. 

4.4.2.?  Column  7,  "Immediate  Effect".  This  is  the  condition  that 
results  directly  from  the  failure/error  being  analyzed.  In  some  cases,  this 
may  be  the  accident  (hazard  mode)  noted  in  column  1;  more  often,  however,  it 
is  the  creation  of  a condition  that  will  contribute  to  causing  the  accident 
if  other,  independent  failures  or  conditions  occur  simultaneously  or 
sequentially  with  the  one  being  analyzed. 

4. 4.2.8  Column  8,  "Ultimate  Effect".  The  ultimate  effect  of 
the  failure/error  is  the  level  of  injuries  and/or  damage  that  might,  in  worst 
circumstances,  result  from  the  type  of  accident  that  might  be  caused. 

Typical  entries  are  couched  in  these  terms,  i.e.,  "si/f  & mpd  (serious 
injuries  and/or  fatalities  and  major  property  damage)  due  to  fire  and  ex- 
plosions in  cargo  tank.  Thus  the  entry  specifies  both  the  type  and 
severity  of  the  accident. 
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4. 4. 2. 9 Column  9,  "Simultaneous  Events  or  Conditions  Required". 

In  this  column  is  Indicated  the  events  or  conditions,  if  any,  that  must  also 
occur  along  with  the  failure/error  being  analyzed  for  the  "ultimate  effect" 
entered  in  column  8 to  be  realized.  Each  such  event  or  condition  must  be 
entered  because  the  number  of  them  indicates  the  number  of  "paths"  involved 
in  a logic  diagram  portrayal  of  the  accident.  The  more  such  paths,  the 
lower  the  liklihood  of  the  "ultimate  effect".  The  number  of  such  paths  is 
one  of  the  criticality  criteria  just  as  it  was  in  the  logic  diagram  approach 
described  previously. 

4.4.2.10  Column  10,  "Hazard  Severity  Category".  This  is  the 
first  of  the  three  criticality  evaluation  criteria  to  be  entered  in  this 
HMEA.  As  before,  the  schedule  of  severity  categories  presented  in  Table  4-1 
is  used  in  the  simplified  form  discussed  in  section  4. 3. 2. 2 for  this  evalua- 
tion. The  category  to  be  used  is  directly  reflected  in  the  citation  of  the 
"ultimate  effects"  in  column  8. 

4.4.2.11  Column  11,  "Inspection  Impact  of  Failure/Error  Liklihood"  . 
In  this  column,  the  effectiveness  of  the  inspection  function  in  subduing  the 
probability  of  the  failure  under  investigation  is  rated.  This  is  the  second 

of  the  three  criticality  criteria.  The  ranking  is  made  in  accordance  with 
the  method  described  in  Section  4. 3. 4. 3. 

4.4.2.12  Column  12,  "Multiple  Event  Ranking".  This  is  the  third 
of  the  criticality  ranking  criteria.  It  accounts  for  the  effect  on  the 
probability  of  the  ultimate  accident  of  the  requirement  that  independent 
events  occur  simultaneously  in  order  to  trigger  the  accident.  Such  ac- 
cidents are  much  less  probable  than  single  event  accidents.  The  probability 
reduction  is  roughly  proportional  to  the  number  of  simultaneous  events  re- 
quired so  the  entry  in  the  column  is  simply  that  number. 


4.4.2.13  Column  13, 


"Inspection  Criticality  Level  Assessment" . 


The  same  conventions  were  used  in  making  this  assessment  in  the  HMEA  as  were 
used  in  making  the  final  assessments  for  the  logic  diagram  analysis.  These 
conventions  are  shown  in  Table  4-2  and  are  described  in  Section  4.3.4. 5. 
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4. A. 3.  Conduct  of  the  HMEA 


The  HMEA  carried  out  with  respect  to  the  STUDY  VESSEL':  cargo 
system  is  shown  in  Figure  4-14.  The  components  and  subsystems  in  luded  in 
the  analysis  are  those  listed  in  Figure  4-13.  The  entries  in  the  columns 
of  the  HMEA  are  in  accordance  with  the  conventions  discussed  in  the  preceed- 
ing  subsections.  The  analysis  brings  out  with  reasonably  satisfactory 
emphasis  the  fact  that  nearly  all  the  accidents  postulated  in  this  study 
are  multiple-event  occurrences,  this  being  the  nature  of  fires  and  ex- 
plosions. The  scenarios  described  by  the  horizontal  row  entries  are  also 
well  tuned  to  the  inspection  orientation  of  this  study. 

It  is  noteworthy  that  this  analysis  was  not  carried  to  the 
level  of  specific,  individual  parts  and  components  as  is  normally  done  with 
detailed  failure  mode  and  effect  analyses  in  reliability  engineering.  In 
such  analyses,  it  is  routinely  necessary  to  account  quantitatively  for  the 
performance  of  every  individual  part  in  the  system.  Instead,  because  this 
was  a safety  analysis,  it  was  found  that  functional  classes  of  parts  and 
components  (i.e.,  ullage  fittings,  main  deck  piping)  could  b(-  usefully 
addressed.  To  discover  how  relatively  critical  the  inspection  of  main 
deck  piping  would  be,  for  example,  it  was  only  necessary  to  consider  the 
hazards  created  by  leaks  or  ruptures  in  that  piping  subsystem.  Consideration 
of  Individual  runs  of  piping  or  particular  valves  added  nothing  to  the  in- 
formation that  could  be  generated  from  the  analysis.  Similarly,  it  was  found 
that  all  the  tank  containment  structure  could  be  considered  as  one  element 
to  be  analyzed.  This  collapsing  of  the  thousands  of  individual  parts  and 
components  making  up  the  STUDY  VESSEL'S  cargo  system  into  a relatively  small 
number  of  component  classes  made  it  possible  to  substantially  shorten  the 
HMEA  over  what  it  would  have  been  if  all  components  had  been  considered 
separately.  This  point  of  technique  should  not  be  applied  blindly  in  the 
making  of  HMEA's,  however,  it  was  feasible  in  this  case  because  of  the 
nature  of  the  inspection  process  which,  itself,  considers  classes  of  com- 
ponents rather  than  individual  ones  in  setting  inspection  priorities. 

Also,  the  HMEA  was  scoped  to  consider  only  the  vessel's  cargo 
system  components  as  the  entry  items  in  the  tabulation.  This  sharply  limits 
the  range  of  items  whose  failures  are  considered.  For  example,  the  fire 
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ITEM  IDEirriFICATlON  FAILURE/ERROR  MECHANISM  EFFECT 


main  and  pumps  are  not  part  of  the  cargo  system  so  the  need  for  inspecting 
them  as  an  integral  part  of  controlling  fire/explosion  hazards  in  the  cargo 
system  did  not  emerge  in  the  findings  from  the  HMEA.  In  this  respect,  the 
logic  diagram  technique  is  superior  to  the  HMEA  when  a limited  scope  safety 
analysis  is  to  be  performed. 

The  specific  results  of  the  HMEA,  in  the  form  of  a safety  critical 
profile,  are  presented  in  Figure  4-15.  It  will  be  noted  that  the  results 
are  similar  to  those  obtained  with  the  logic  diagram  technique  except  for 
the  coverage  limitations.  In  spite  of  the  probability  that  there  was  sub- 
conscious biasing  of  the  results  with  those  of  the  logic  diagram  approach, 
the  study  team  is  satisfied  that  either  of  these  analysis  techniques,  used 
in  a qualitative  manner,  will  produce  similar  results. 

4.5  CRITIQUE  OF  ANALYSIS  TECHNIQUES 

The  conduct  of  this  study  was  successful  with  respect  to  the  issues 
posed  at  the  outset  concerning  analysis  techniques.  The  study  team  arrived 
at  a set  of  conclusions  regarding  these  Issues.  The  underlying  questions 
being  addressed  were 

• Does  the  system  safety  analysis  approach  work?  Is  it 
analytically  satisfying,  convenient  to  use,  and  are 
the  results  convincing? 

• Does  one  or  another  of  the  analysis  techniques  avail- 
able seem  to  be  superior  for  use  in  the  context  of 
coinnerclal  vessels? 

• What  is  the  impact  of  the  prospective  use  of  system 
safety  analysis  techniques  on  the  design  of  VIIS? 

• Taken  as  a whole,  do  the  results  of  this  study  shed 
any  light  on  whether  or  not  system  safety  techniques 
are  better  than  conventional  approaches  to  safety 
analysis  and  risk  management  for  commercial  vessels? 

4.5.1  Tractabilitv  of  the  System  Safety  Approach 

In  the  context  of  commercial  vessel  technology,  the  system  safety 
approach  proved  to  be  entirely  tractable  for  the  study  team  Involved.  The 
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process  of  breaking  down  the  vessel  systems  into  coherent,  analyzable  ele- 
ments proceeded  without  difficulty.  There  were  no  contradictory  or  anomalistic 
interface  problems.  Although  many  interdependencies  exist  with  respect  to 
hazardous  conditions  and  the  means  for  controlling  them,  these  were  not  severe 
and  did  not  pose  special  analytical  difficulty.  Each  of  the  three  techniques 
used  (PHA,  logic  diagram  analysis,  and  HMEA)  was  applied  without  undue  trouble 
to  the  STUDY  VESSEL.  Input  information  needed  for  these  qualitative  analyses 
was  readily  extracted  from  the  Vessel's  plans,  records,  and  other  documenta- 
tion; and  from  the  insights  gained  in  the  course  of  the  on  board  inspection 
and  study.  The  underlying  logic  of  each  of  the  techniques  was  not  defeated 
in  application  by  excessive  system  complexity. 

All  the  techniques  were  analytically  satisfying;  that  is,  the 
analysis  process,  in  every  case,  suggested  items  to  be  covered  that  would 
not  otherwise  have  been  covered  and  exposed  relationships  that  might  not 
have  been  perceived  by  subjectively  applied  expertise.  In  other  words,  the 
use  of  systematic  analysis  techniques  is  believed  to  have  obtained  results 
that  would  not  otherwise  have  been  obtainable.  The  techniques  were  easy 
to  use  and  flexible  in  application.  At  no  time  did  the  analysts  have  to 
"fight  the  method"  instead  of  concentrating  on  the  problem  of  identifying 
and  assessing  hazards. 

Finally,  in  the  judgement  of  the  study  team,  the  results  are 
convincing.  They  generally  satisfy  one's  intuitive  ideas  of  what  items  on 
the  STUDY  VESSEL  are  most  important  to  be  inspected.  In  the  few  cases  where 
Intuition  was  surprised  by  the  analytical  results,  the  analyses  provided 
satisfactory  rationales  for  the  seeming  anomalies.  For  example,  one  would 
have  expected  the  fire  main  and  fire  pumps  to  have  been  assigned  top  (manda- 
tory) priority  as  inspection  items  in  a study  concerned  with  fire  hazards. 

In  fact,  these  items  in  the  second  (critical)  ranking  group;  they  are  multiple- 
path  failures  with  comparatively  less  likelihood  of  causing  major  damage  or 
injuries  in  connection  with  a fire. 
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A. 5. 2 Most  Useful  Techniques 

In  considering  the  question  of  which  of  the  analysis  techniques  Is 
the  most  useful,  one  should  note  that,  as  explained  In  Section  4.2,  the  PHA 
is  essential  to  any  systematic  safety  analysis.  It's  relative  usefulness  Is 
not,  therefore  at  Issue  In  this  study. 

As  between  the  logic  diagram  and  HMEA  techniques,  the  following 
observations  were  made  by  the  study  team. 

4. 5. 2.1  Data  Responsiveness.  Both  techniques  were  useful  and 
usable  in  arriving  at  convincing  results  in  spite  of  the  absence  of  quanti- 
tative data  on  failures. 

4. 5. 2. 2 Interplay  of  Techniques.  Both  techniques  are  actually 
in  use  at  all  times  during  the  conduct  of  the  safety  analysis.  If  the 
analyst's  basic  strategy  is  to  use  the  deductive  technique,  he  will  find 
himself  using  inductive  tactics  in  carrying  out  that  technique  and  vice  versa. 
Thus,  the  techniques  are  not  mutually  exclusive;  in  fact,  they  are  highly 

complimentary  from  the  standpoint  of  the  mental  processes  in  play  as  the 
analysis  goes  forward.  The  real  issue,  frequently,  has  to  do  with  which  form 
of  notation  seems  to  be  the  most  useful  way  to  document  and  describe  the 
results  of  the  analysis. 


4.5. 2. 3  Advantages  and  Disadvantages  of  the  Logic  Diagram  Technique. 
In  the  opinion  of  the  project  team,  the  logic  diagram  technique  has  several 
great  advantages:  (1)  it  portrays  the  hazards  more  accurately  and  completely, 

(2)  it  explicitly  depicts  multi-path  accidents  so  the  criticality  of  the 
failures/errors  involved  can  be  accurately  appraised,  (3)  it  provides  greater 
intellectual  stimulus  for  creative  safety  analysis,  and  (4)  it  lends  itself 
to  quantitative  solutions  when  and  if  data  become  available.  The  overriding 
advantage,  however,  is  that  the  mathematical  rigor  inherent  in  the  logic 
diagram  technique  imposes  a practical  discipline  on  the  conduct  of  a qualita- 
tive approach  such  that  one  naturally  develops  the  confidence  in  the  results 
obtained.  The  disadvantage  of  the  logic  diagram  technique  is  that  the  same 
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rigor  alluded  to  above  makes  the  job  of  designing  the  tree  very  demanding. 

It  takes  a long  time  to  do,  requires  a great  ability  to  conceptualize  in  both 
mathematical  and  engineering  contexts,  and  forces  the  analyst  to  spend  some 
amount  of  time  on  aspects  of  the  safety  problem  in  which  he  might  have  no 
immediate  interest  because  the  technique  demands  comprehensive  treatment. 


4. 5. 2. 4 Advantages  and  Disadvantages  of  the  HMEA.  In  these 
characteristics,  the  HMEA  is  in  many  respects  the  opposite  of  the  logic 
diagram.  Its  advantages  are:  (1)  it  is  a highly  flexible,  even  subjective, 
tool  so  the  analyst  is  free  to  tailor  its  format  (table  headings)  to  fit  his 
particular  needs,  (2)  he  may  arbitrarily  restrict  his  study  to  only  the 
particular  set  of  failures/errors  with  which  he  is  concerned  thus  avoiding 
Irrelevancy,  (3)  there  is  greater  scope  for  subjective  judgement  in  making 
necessary  assessments,  and  (4)  it  is  a good  communications  tool  because  it  is 
largely  self  explanatory — one  need  not  be  acquainted  with  boolean  algebra 

to  grasp  its  meaning.  Its  disadvantage  is  that,  in  this  case  at  least,  it 

offerred  far  less  stimulus  to  describe  accident  possibilities  completely, 
did  not  account  for  as  many  failures/errors,  and  does  not  explicitly  de- 
pict the  number  of  paths  involved  in  generating  an  accident.  Although  a 
column  entry  was  provided  to  account  for  this  last  factor,  it  was  still 
Judged  that  the  HMEA's  power  to  describe  the  interractions  involved  in 
developing  an  accident  fell  far  short  of  that  of  the  logic  diagram. 

4. 5. 2. 5 Conclusions  Regarding  Analysis  Techniques.  On  balance, 
the  study  team  considers  the  logic  diagram  the  more  powerful  tool  and 
recommends  Its  use  where  resources  and  time  permit.  However,  the  HMEA 
should  never  arbitrarily  be  eliminated  from  consideration  and  the  natural 
Interplay  of  the  two  techniques  should  be  capitalized  on  when  possible. 
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4.5.3  Impact  of  System  Safety  Analysis 

on  the  Design  of  VIIS 

The  impact  on  the  design  of  VIIS  was  described  fully  in 
Section  3.6.  Appendix  C describes  the  implementation  plan  for  incorpor- 
ating in  VIIS  the  capabilities  that  respond  to  the  needs  of  system  safety 
analysis  of  ships. 

4.5.4  Superiority  of  System  Safety  Techniques 

One  of  the  results  of  this  study  is  that  the  team  is  convinced  of 
the  superiority  of  the  system  safety  approach  in  comparison  with  conventional 
methods  of  dealing  with  risk  in  commercial  vessels.  This  is  true  in  spite  of 
the  fact  that  the  study  did  not  turn  up  startling  or  dramatic  new  hazards.  ' 

Review  of  the  hazards  listings  in  Table  4-3  in  the  light  of  the  general  liter-  I 

! 

ature  and  body  of  knowledge  on  the  hazards  of  fire  in  vessels  shows  that  al-  | 

1 

most  no  unknown  or  unsuspected  hazards  pertaining  to  ships  of  the  STUDY 
vessel's  type  were  found  nor  were  any  new,  improved  methods  of  hazard  control 
revealed.  It  has  been  suggested  that  the  hazards  listings  could  have  been 
developed  without  having  to  use  system  safety  analysis  techniques  simply  by 
querrying  experienced  individuals  familiar  with  the  STUDY  VESSEL. 

A basic  question  arises  from  this;  namely,  can  the  results  of  this 
study  be  interpreted  to  affirm  or  deny  the  premise  mentioned  in  the  "Intro- 
duction" to  this  report  that  system  safety  analysis  techniques  comprise  a 
potentially  superior  way  of  managing  risk  with  respect  to  commercial  vessels 
and,  therefore,  should  soon  be  incorporated  in  the  Coast  Guard's  CVS  program? 

Addressing  this  question  is  not  precisely  within  the  scope  of  this  study. 

Hovrever,  the  matter  is  important  and  the  study  had  results  which,  in  the 
opinion  of  the  study  team,  are  pertinent  to  the  question. 

In  measuring  the  effectiveness  of  safety  analysis  approaches,  two 
criteria  apply:  (I)  the  efficacy  of  the  approach  in  identifying  hazards  that 
are  present  in  the  system  and  (2)  the  ability  of  the  methodology  to  provide 
a good  basis  for  allocating  resources  for  controlling  the  hazards. 
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4.5.4. 1 Hazard  Identification.  In  applying  this  criterion,  the 
basic  Issue  is  the  ability  to  Identify  hazards  that  have  not  yet  been  re- 
vealed by  accidents  and  demonstrate  their  presence  convincingly  enough  that 
scarce  resources  will  be  committed  to  controlling  them,  niose  who  advocate 
the  use  of  system  safety  techniques  claim  that  these  techniques  are  effec- 
tive in  doing  this  whereas  the  "traditional"  approach  to  safety  engineering 
is  purely  reactive,  spending  resources  to  control  only  those  hazards  revealed 
by  accident  experience. 

An  example  study  of  the  kind  conducted  here  cannot  obtain  a clear- 
cut  answer  on  this  matter.  If,  on  the  one  hand,  a vessel  about  which  a body 
of  experience  already  exists  is  studied,  as  in  this  case,  it  can  be  antic- 
ipated that  the  hazard  field  has  already  been  well  covered  by  that  experience 
and  there  are,  in  fact,  no  new  hazards  of  major  importance  remaining  to  be 
discovered.  In  that  case,  system  safety  techniques  are  useful  mainly  to 
organize  the  experience  so  as  to  maximize  its  usefulness  in  hazard  control 
and  to  confirm  that  unknown/unsuspected  hazards  are  not  present.  On  the 
other  hand,  if  the  example  study  is  directed  to  a vessel  featuring  novel 
technology  about  which  there  is  no  body  of  experience,  the  validity  of  the 
hazard  listings  produced  by  the  study  cannot  be  "proved".  One  can  only 
speculate  on  the  basis  of  how  convincing  the  supporting  analysis  brought 
forward  for  the  hazards  are. 

As  between  these  two  approaches,  it  was  believed  that,  in  this 
case,  more  useful  insights  about  the  application  of  system  safety  techniques 
could  be  drawn  from  taking  the  first.  Although  unsuspected  hazards  were  not 
discovered,  it  is  by  no  means  unimportant  that  the  study  team  identified  and 
dealt  with  over  70  specific  hazard  conditions  which  span  the  field  of  expe- 
rience pertaining  to  the  scope  of  this  study.  The  team  members  are  analysts 
with  marine  experience  but  this  experience  is  not  in  the  field  of  designing, 
building,  or  operating  vessels  of  the  type  studied  here.  The  hazard  listings 
cited  in  this  report  were  developed  through  the  use  of  system  safety  anal- 
ytical procedures.  Although  these  procedures  included,  as  a matter  of 
routine,  accident  experience*,  the  major  source  for  the  identification  of 

* The  STUDY  VESSEL  itself  has  not  experienced  any  fires  or  explosions  in  its 
10-year  service  life. 
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specific  hazards  was  Che  analytical  process  Itself — vessel  familiarization 
followed  by  the  exploratory  construction  of  accident  logic  diagrams  and  the 
HMEA  tables.  The  resulting  hazard  listings  are  believed  to  recite  accurately 
the  experience  compiled  with  respect  to  the  topics  covered  in  the  study. 

This  is  interpreted  by  the  study  team  as  being  strong  confirmation  of  the 
capability  of  system  safety  analyses  techniques  to  stimulate  exhaustive 
hazard  identification. 

4. 5. 4. 2 Basis  for  Resource  Allocation.  The  SCP  developed  in  this 
study  _is  a resource  allocation  plan,  the  resource  consisting  of  Coast  Guard 
inspector  manpower  and  material  plus  Inspected  vessel  downtime  costs.  The 
SCP  indicates  how  this  particular  resource  can  be  most  effectively  deployed 
for  the  control  of  the  observed  hazards.  The  same  system  safety  analysis 
techniques  could  be  used  to  generate  allocation  plans  for  hazard  control 
through  vessel  design,  hazard  control  through  law  enforcement,  and  so  on. 

There  is  no  counterpart  to  this  capability  in  traditional  approaches 
to  safety  assurance.  Allocation  of  resources  to  safety  were,  and  still  are 
for  the  most  part,  made  in  a haphazard  way  mainly  responding  to  accidents  or 
incidents.  Indeed,  the  main  stimulus  for  the  development  of  the  system 
safety  approach  was  the  need  for  allocating  resources  to  safety  on  a more 
rational  and  anticipatory  basis  in  connection  with  new  and  novel  systems  in 
the  space  and  defense  domains. 

The  SCP  developed  herein  demonstrates  the  capability  of  system 
safety  techniques  to  support  this  decision-making  function  in  the  domain  of 
caaoercial  vessels.  There  Is  no  other  approach  available.  As  the  Coast 
Guard  continues  its  endeavor  to  order  its  whole  framework  of  safety  activity 
into  the  most  effective  form,  it  will  inevitably  take  up  progressively  the 
practice  of  system  safety  techniques. 
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APPENDIX  A 

STUDY  VESSEL  DESCRIPTION 

The  STUDY  VESSEL  is  a modern,  high-speed  special  products  carrier. 
Proper  understanding  of  this  safety  analysis  requires  an  adequate  description 
of  the  ship  in  terms  of  general  matters  concerning  the  nature  of  her  service 
and  history,  and  the  particulars  of  her  several  systems. 

History 

The  STUDY  VESSEL  was  built  at  the  Sparrows  Point  shipyard  of 
Bethlehem  Steel  and  was  placed  in  service  by  her  present  owners  in  1966. 
Although  the  hull  design  was  basically  a standard  Bethlehem  item,  the  tank 
segregation  details,  cargo  piping  and  pumping  arrangements,  and  a variety  of 
other  features  were  worked  out  as  a joint  enterprise  by  the  vessel  owner, 
the  prospective  long-term  charterer,  and  Bethlehem.  The  result  is  a vessel 
design  unusually  closely  tailored  to  the  requirements  of  a cargo  movement 
operation  that  is  precisely  defined  as  to  material  hauled,  schedule,  and 
route . 

The  vessel  has  operated  solely  in  the  mode  for  which  she  was 
designed  since  going  into  service. 

Service 


The  STUDY  VESSEL  hauls  a large  variety  of  high-value,  liquid  bulk 
products--ref ined  petroleum  products  and  chemicals--on  a fixed  route  between 
a port  on  the  Gulf  Coast  and  a terminal  at  a petrochemicals  processing  com- 
plex in  the  Northeast.  The  full  round  trip,  Including  loading  and  unloading, 
takes  approximately  12  days;  the  northbound  is  the  loaded  run  while  the  south- 
bound is  in  ballast  with  tank  cleaning  and  preparation  operations  being  per- 
formed. 

In  performing  this  highly  repetitous  operation,  the  STUDY  VESSEL  is 
really  functioning  as  an  extremely  critical  materials  handling  step  in  a 
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continuous-flow  chemical  processing  plant  whose  upstream  part  is  in  the 
Southwest  while  the  downstream  part  is  in  the  Northeast.  Schedule  variation 
allowances  and  delivered  product  purity  requirements  are  tight  in  order  to 
preclude  expensive  interruptions  to  the  continuity  of  the  overall  process. 
Thus,  the  profit  level  for  the  vessel's  owner  depends  on  keeping  the  ship 
operation  at  a high  level  of  reliability. 

One  of  the  complicating  factors  in  the  operation  is  that,  although 
[ the  spectrum  of  types  of  cargoes  carried  is  well  defined  (the  vessel  was 

designed  with  this  spectrum  firmly  established) , there  is  still  consider- 
able variety  from  trip  to  trip  in  the  specific  loads  carried.  This  means 
that  on  every  southbound  trip  a substantial  amount  of  tank  cleaning  and 
preparation  is  required  to  accommodate  changes  in  the  material  to  be  loaded 
in  certain  of  the  tanks  for  the  next  trip.  Although  cargo  schedules  as  to 
kinds  and  amounts  for  each  trip  are  mapped  out  well  in  advance,  there  are 
characteristically  a few  last-minute  changes  communicated  to  the  vessel  during 
the  southbound  voyage;  these  have  to  be  accommodated  by  changes  in  the  clean- 
ing and  preparation  operation  while  still  at  sea  before  arrival  at  the  load- 
ing terminal. 

Operating  Phases 

For  safety  analysis  purposes,  it  was  necessary  to  subdivide  the 
total  operation  into  phases,  each  of  which  represents  a unique  situation 
with  respect  to  the  several  hazards.  After  considerable  experimental  itera- 
tion, the  following  operational  phases  were  distinguished: 

(1)  Loading  cargo  at  terminal  in  vicinity  of  population 
centers 

(2)  Unloading  cargo  at  terminal  in  vicinity  of  popula- 
tion centers 

(3)  Underway,  loaded,  on  soundings  (entering  or  leaving 
harbor)  near  population  centers 


r 


(4)  Underway,  unloaded  and  in  ballast,  on  soundings 

(entering  or  leaving  harbor)  near  population  centers 
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(5)  Underway,  loaded,  at  sea,  routine  weather  conditions 

(6)  Underway,  loaded,  at  sea,  heavy  weather  conditions 

(7)  Underway,  In  ballast,  at  sea,  routine  weather  con- 
ditions 

(8)  Underway,  In  ballast,  at  sea,  heavy  weather  conditions 

(9)  Underway,  unloaded,  at  sea,  cargo  tank  cleaning/ 
preparation  operations  being  conducted. 


Cargoes  Carried 


The  STUDY  VESSEL  is  certified  by  the  Coast  Guard  to  carry  the  fol- 
lowing cargoes; 

(a)  Polar  Solvents 

Dimethyl  Key tone  (DMK) 

Methyl  Isobutyl  Keytone 
Methyl  Isobutyl  Carblnol 
Methyl  Ethyl  Keytone  (MEK) 

Isobutyl  Alcohol 
Ethyl  Alcohol 
Ethylene  Glycol 
Normal  Butyl  Alcohol 
Secondary  Butyl  Alcohol 

(b)  Other  Cargoes 

Petroleum  and  Lube  Oils 

Glycerine 

Mineral  Spirits 

Naphtha 

Benzene 

Tolusol  (Toluene) 

Xylene 

Styrene 

Neodol 

Eplchlorohydrln  (ECH) . 

In  this  listing,  the  category  "petroleum  and  lube  oils"  covers  all 


grades  of  gasoline,  aircraft  fuels,  and  many  grades  of  lubes. 
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Particulars  t 


Details  of  the  STUDY  VESSEL  are  presented  here  in  terms  of  the 
vessel  system  breakdown  defined  in  Appendix  A. 

Hull 

The  basic  hull  dimensions  of  the  STUDY  VESSEL  are  as  follows: 

Length  overall  - 660 '-2" 

Breadth  (MLD)  90 ’-0" 

International  summer  draft  - 36 '-7-3/4". 

The  hull  arrangement  is  conventional.  There  is  one  ballast  tank 
forward.  The  middle  body  contains  the  cargo  tanks  as  will  be  described  later 
in  the  "Cargo  Systems  Description".  Main  machinery  spaces,  fuel  and  water 
tanks,  living  quarters,  and  navigation  bridge  are  aft. 

The  hull  scantlings  are  ABS  ship  steel  with  heavy  strakes  of 
normalized  plate  in  the  way  of  the  sheer  strake  and  the  main  deck  stringer 
plate  in  the  middle  body  of  the  vessel. 

The  STUDY  VESSEL  is  equipped  with  a Loderater  analogue  computer 
located  in  the  Master's  cabin.  This  equipment  provided  the  Master  with  a 
means  to  predict  static  loads  with  various  cargoes  and  distributions  of  such 
cargoes.  The  computer  provides  the  following  displacement/trim  information: 

Draft 

Metacehtric  height 

Static  shear  stress  and  bending  moments  at  10  locations 
along  the  ship's  length. 

Boilers  and  Pressure  Vessels 


Two  Foster  Wheeler,  automatic  combustion  controlled  boilers  provide 
steam  for  the  main  propulsion  and  electrical  service  plants.  Main  propulsion 
steam  is  at  600  psi  gage  900  degree  superheat.  Other  pressure  vessels  are 
associated  with  the  air  conditioning  system  for  the  living  quarters,  the  ser- 
vice compressed  air  system,  and  the  fresh-water  distilling  plant. 
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Propulsion 


The  main  propulsion  system  Is  steam  turbine  geared  driving  a single 
shaft  with  a three-bladed  bronze  propeller,  21 ’-6"  diameter,  21 '-8"  pitch. 

The  plant  is  rated  at  15,000  shaft  horsepower.  The  steam  turbines 
reduction  gear  are  General  Electric  units. 

Mooring/ Anchoring 

The  vessel  is  equipped  with  two  stockless  anchors  (17,955  lb) 
plus  one  spare  anchor.  The  anchors  are  linked  to  330  fathoms  of  2-13/16" 
stud  link  anchor  chain.  One  electrohydraulic  anchor  winch  with  two  hori- 
zontal wildcats  handles  the  anchor  chain. 

Also  provided  on  board  is  900  feet  of  2-1/8,  6 x 24  wire  cable 
referred  to  aboard  the  vessel  as  an  "insurance  towline". 

Other  mooring  equipment  included  six  electrohydraulic,  constant- 
tension  mooring  winches  and  one  vertical  electrohydraulic  winch  at  the  stern. 

Navigation/Communications 

The  STUDY  VESSEL  was  equipped  with  the  usual  equipment  for  ter- 
restrial and  celestial  navigation.  Equipment  available  included 

• Sextants 

• Azimuth  circles 

• Gyro  and  magnetic  compasses 

• An  autopilot 

• Radio  direction  finder  (as  noted  below) 

• Fathometer 

• Loran  A-C  receiver 

• Two  radar  systems  (as  noted  below) 

• Chronometers. 

The  following  Inventory  of  communications  equipment  was  on  board 
located  in  the  radio  room,  bridge  area,  or  elsewhere,  as  noted: 
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Transmitting  Equipment 

Output  Power, 


Type 

Manufacturer 

Type 

Watts 

Telephone 

2M  c/s 

ITT /MM 

2166 

150 

HF 

ITT/MM 

2166 

150 

VHF  No.  1 

Raytheon 

Ray-42-VHF 

25  O'P 

VHF  No.  2 

INTECH 

V 108 

25  0/P 

Radar  #1 

Raytheon 

1650 

n.a . 

Radar  #2 

Kelvin  Hughes 

17/6us 

n.a. 

Telegraph 

Main 

ITT/MM 

2012A 

1050 

Emergency 

ITT/MM 

2010A 

90 

HF 

ITT/MM 

2018A  (2F) 

900 

Survival  craft 

ITT /MM 

401a 

15 

Receiving  Eaulpment 

Main  receiver 

ITT/MM 

30106 

Emergency  receiver 

ITT /MM 

3001 A 

Auto  alarm 

ITT/MM 

50026 

DF 

ITT/MM 

4004A 

Electrical 

The  electrical  system  Is  powered  by  two  ships  service 

turbo 

generator  sets  and 

one  emergency  diesel  generator.  The  turbo  generators, 

originally  used  on 

a Navy  battleship. 

are  GE  units.  Type  AT6-2, 

rated  at 

450  V,  250  kva,  1000  kw  (3  3600  rpm.  Tlie  emergency  generator,  driven  by  a 

Cummins  NHS-6-IP  engine,  Is  an  EM  Type 

ERKT  rated  at  150  kw,  450  v. 

The  electrical  distribution 

system  Is  of  conventional 

arrangement 

The  main  control  board  located  forward 

, starboard  side  In  the  engine  room. 

Is  by  Federal  Pacific.  Main  feeders. 

distribution  panels,  and 

controllers 

for  all  cargo  pump 

motors  are  grouped  In  the  engine  room  upper- 

level  star- 

board  side. 


Life  Protection 


Life  protection  equipment  for  vessel  emergency  situations  consists  of 
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2 - lifeboats,  37-inan  capacity,  fully  equipped  as  prescribed 
In  Coast  Guard  regulations 

- Inflatable  rafts,  automatic  releasing,  36-man  capacity, 
fully  equipped  as  prescribed  In  Coast  Guard  regulations. 

- life  Jackets. 

Life  Support.  Life  support  (breathing  equipment,  includ- 
ing protective  clothing,  is  provided  for  fighting  fires  and  cleaning  up  spills 
of  poisonous  or  combustible  cargoes.  Protective  clothing  and  life  support 
are  also  required  when  handling  specially  hazardous  cargoes.  The  equipment 
Is  utilized  in  entering  cargo  tanks  to  determine  the  safety  of  the  environ- 
ment and  to  rescue  personnel  who  may  have  been  overcome  in  supposedly  gas- 
free  or  safe  atmospheres  in  tanks,  pump  room,  or  other  enclosed  spaces. 
Resuscltators  are  also  carried  for  emergency  treatment  of  casualties. 

Life  support  equipment  provided  Includes  the  following  items: 

Two  Gas  Masks,  Type  N.  MSA  Window  Cator  Model  SW, 
cannlster  type  for  use  with  acids,  ammonia,  carbon 
monoxide,  organic  vapors,  and  particulates.  This 
mask  must  not  be  used  in  oxygen-deficient  atmosphere 
or  to  fight  fires. 

Two  reflective  fire-fighting  personal  protective  suits 
Including  boots  and  gloves. 

One  oxygen  Breathing  Apparatus  OBA  plus  spare  oxygen 
cannisters .* 

Two  Air  Masks  MSA  equipped  with  pressure  regulators 
and  air  flasks.* 

Two  suits  of  chemical  protective  clothing  plus  goggles 
and  gloves. 

One  resuscitator  with  spare  oxygen  bottles. 

One  MSA  Foille  Burn  Kit. 


Emergency  Alarms  and  Machinery  Shut-Down  Eouipment.  There 
a re  24  alarm  bells  distributed  throughout  the  ship.  These  can  be  sounded 
at  three  stations  - the  navigation  bridge,  the  passageway  outside  the  Chief 
Engineer's  office,  and  the  engine  room  log  desk  or  control  station. 

* Both  of  these  equipments  are  provided  with  a harness  and  stainless  steel 
cable  life  lines. 
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Ship's  ventilation  shut-dowm  stations  are  located  on  the  naviga- 
tion bridge  and  log  desk  In  the  engine  room. 

Emergency  stops  for  forced  draft  blowers,  fuel  oil  service  pumps, 
fuel  oil  transfer  pumps,  machinery  space,  and  pump  room  ventilation  systems 
are  located  on  the  starboard  side  passage  way  in  the  crew's  quarters. 

Fire  Control 


The  fire  control  system  on  the  STUDY  VESSEL  consists  of  three  main 
means  of  fire  fighting:  (1)  a conventional  pressurized  sea  water  system 
consisting  of  pumps,  fire  main,  and  associated  hoses  and  application  equip- 
ment; (2)  a foam  system  consisting  of  a foam-generating  plant,  deck  monitors, 
and  application  systems  In  pump  room  and  engine  room;  and  (3)  a distributed 
fixed/portable  system  using  C02- 

Foam  System.  'Hris  system  provides  fire-fighting  capability 
for  the  engine  and  pump  rooms  and  the  cargo  area.  Protection  for  petroleum 
fires  and  polar  solvent  fires  are  provided  by  3 percent  and  100  percent  con- 
centrate Aerofoam  distribution  systems.  For  petroleum  fires,  a 3 percent 
concentrate  is  used.  For  polar  solvents,  100  percent  concentrate  is  used  in 
conjunction  with  the  3 percent  concentrate. 

Foam  is  controlled  at  the  storage  tank  (1,365  gallons)  and  propor- 
tioning pump  station  located  on  the  main  deck  in  the  forward  part  of  the 
deck  house  on  the  center  line.  Sound-powered  phones  are  used  to  control  the 
system  between  this  station,  the  bridge,  the  engine  room,  and  the  foam 
stations. 

Foam  is  distributed  by  a 6- inch  main  to  the  main  deck  catwalk  where 
there  are  four  monitor  stations.  In  addition,  at  each  monitor  there  are 
2-1/2-lnch  hydrants  supplied  with  two  portable  foam  nozzles.  A 3-inch  main 
can  provide  foam  to  the  cargo  pump  room  where  6 fixed  nozzles  distribute 
foam  at  the  lower  machinery  level.  A 6-lnch  main  provides  foam  to  12 
fixed  nozzles  at  various  locations  in  the  engine  room  lower  level. 
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CO2  Extinguishing  Capabilities.  One  Walter  Kiddie  100- lb 


cylinder  with  50'  of  1/2"  hose  with  a nozzle  and  reel  are  located  in  the 
engine  room.  Twenty-six  15-lb  portable  CO2  extinguishers  are  located 
throughout  the  ship.  The  paint  locker  and  the  cargo  office  are  protected  by 
fixed  CO2  systems. 


Flremain  Systems.  The  firemain  is  a single  8"  pipeline 
running  fore  and  aft.  There  are  no  isolation  valves  in  the  firemain.  The 
system  is  served  by  two  electrically-driven  fire  pumps  of  600  gpm  capacity. 
An  800  gpm  steam- turbine -driven  pump  can  also  pressurize  the  firemain. 
However,  this  last  pump  is  used  mainly  for  tank  cleaning.  The  firemain 
serves  22  fire  stations  equipped  with  all-purpose  nozzles,  low-velocity 
applicators,  and  a total  of  1575'  of  2-1/2"  and  1-1/2"  hose. 


Equipment  Installed  But  Not  Required  by  Regulations.  Ten 
ANSUL  portable  dry  chemical  fire  extinguishers  (38-lb  capacity)  are  provided 
and  located  close  to  the  cargo  transfer  manifolds  on  the  main  deck  when  cargo 
is  being  pumped  between  ship  and  shore.  Two  ANSUL  dry  chemical  extinguishers 
of  150- lb  capacity  are  installed  in  3 CP  and  4 C pump  houses  on  the  main  deck. 


Figures  4-2  and  4-3  are  deidentified  copies  of  the  standard  de- 
scriptive form  used  aboard  the  STUDY  VESSEL  for  planning  cargo  operations. 
The  two  figures  provide  a complete  physical  and  operational  description  of 
the  cargo  system  which  consists  of  tanks,  pumps,  and  associated  piping, 
fittings  and  auxiliary  equipment.  Examination  of  the  vessel  showed  no 
discrepancies  in  these  drawings. 


STOWAGE  PLAN-PUiyiPlNG 


FIGURE  A-1.  CARGO  TANKS  AND  PIPING  SCHEMATIC 


FIGURE  A-2.  CARGO  PUMPING  SYSTEM  SCTEMATIC 


APPENDIX  B 


STUDY  VESSEL  SYSTEMS 


Below  are  tabulated  the  ship  systems  breakdown  used  In  the  safety 
analysis  of  the  study  vessel.  This  breakdown  Is  the  one  used  In  the  design 
of  VIIS's  data  base.  It  Is  based  on,  and  nearly  Identical  to,  a breakdown 
developed  by  MIS  In  1974  as  the  frame  work  for  the  Casualty  Reporting  System. 

VESSEL  SYSTEMS 


Level  I 


1.  Hull 


2.  Boilers  & 
Pressure 
Vessels 


Level  II 

1.  Watertight 
Envelope 


2.  Strength 
Members 


3.  Super- 
structure 


4.  Water  Removal/ 
Ballast  M'gt. 


1.  Main  Propulsion 

Boilers 

2.  Auxllllary 

Boilers 

3.  Unflred  Pressure 

Vessels 


Level  III 

1.  Main  Deck 

2.  Penetrations 

3.  Shell  Plating 

1.  Decks 

2.  Frames 

3.  Bulkheads 

1.  Decks 

2.  Frames 

3.  Bulkheads 


List  No. 


1.  Main  Engine 


2.  Auto  Regulating 

Systems 

3.  Steam  Cycle 

4.  Fuel  Oil 

5.  Lube  Oil  System 

6.  Cooling  System 

7.  Air  System 


3.  Propulsion 


1.  Power  Generetlon 

System 

2.  Coupling  System 


1.  Fluid 

2.  Mechanical 

3.  Electrical 


! 

i 


i 

1 

i 


Level  I 

Level  11 

Level  III 

List  Mo. 

Propulsion 

3.  Thrust  System 

1.  Shaft 

20 

(Cont.) 

2.  Bearings 

21 

3.  Propeller 

22 

4.  Vessel  Movement 

1.  Steering  Control 

25 

System 

2.  Propulsion  Control 

26 

4.  Hoorlng/ 

1.  Mooring 

23 

Anchoring 

2.  Anchoring 

24 

5.  Havlgatlon/ 

1.  Vessel  Location 

24A 

Communications 

system 

2.  Communication 

1.  Interior 

27 

System 

2.  Exterior 

28 

6.  Electrical 

1.  Power  Generation 

1.  Generation  System 

29 

System 

2.  Emergency  Power 

1.  Emergency  Generation 

31 

Generation  Sys. 

System 

2.  Emergency  Drive  Sys. 

32 

3.  Power  Distribution 

1.  Safety  System 

33 

• 

2.  Power  Feeder  System 

34 

3.  Hotel  Feeder  System 

35 

4.  Emergency  System 

36 

7.  Life 

1.  Vessel 

1.  Individual  Protection 

37 

Protection 

Abandonment 

System 

System 

2.  Group  Participation  Sys. 

38 

2.  On  Board  System 

1.  First  Aid  System 

39 

2.  Personnel  Protection 

40 

System 

8.  Fire 

1.  Fire  Detection 

1.  Electric  System 

41 

Control 

System 

2.  Pneumatic  System 

42 

3.  Heat  Detecting  System 

43 

4.  Smoke  Detecting  System 

44 

5.  Manual  Detection  System 

45 

2.  Fire  Fighting 

1.  Fixed  System  & Semi- 

46 

System 

Portable 

2.  Portable  System 

47 

3.  Fire  Containment 
System 


1.  Structures  & Closures 


48 
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Level  I 

Level  11 

Level  III 

List  No. 

9.  Cargo 

1.  Cargo 

1.  Pressure  Control 

49 

System 

Environment 

2.  Safety  System 

50 

Control 

3.  Air  Conditioning 

51 

2.  Containment  Sys. 

1.  Primary  Containment 

52 

2.  Secondary  Containment 

53 

3.  Transfer  System 

1.  Cargo  Loading/Unloading 

54 

10.  Habitability  1.  Sanitary  System 

1.  Salt  Water 

None 

2.  Drainage 

None 

2.  Vessel  Access 

1.  Personnel  Boarding 

56 

System 

2.  Safety  System 

57 

3.  Onboard 

58 

3.  Air  Conditioning 

1.  Heating 

59 

System 

2 . Humidity 

60 

3.  Cooling 

61 

4.  Ventilation 

62 

4.  Food  and  Water 

1.  Pest  Control 

None 

System 

2.  Food  Preparation 

None 

3.  Food  Consumption 

None 

Facilities 

4.  Food  Storage 

63 

5.  Portable  Water  Supply 

64 

5.  Personnel 

1.  Sanitary  & Recreation 

None 

Accommodation 

Facilities 

System 
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COMPONENTS 


List  No.  I 

1 Main  Deck  j 

Damage  | 

Forward  Quarter  ' j 

Mid-half  Length 
After  Quarter 

Repair  ' ! 

Forward  Quarter 
Mid-half  Length 
After  Quarter 

2 Penetrations 

Deck  Penetrations  | 

Cargo  Hatches  1 

Ullage  Openings  I 

Scuttles  I 

Manholes 

Shell  Penetrations 
Side  Ports 

Sea  chests/sea  suctions 

Overboard  Discharges  j 

Transducers,  fathometer,  portholes  & Other  1 

3 Shell  Plating  1 

Damage  j 

Forward  Quarter  ] 

Mid-half  Length  ] 

After  Quarter  j 

Repair  | 

Foreward  Quarter  j 

Mid-half  Length  ] 

After  Quarter  j 

4 Decks  (below  main  deck)  \ 

Level  1 j 

Level  2 ■ j 

Level  3 
Level  4 

Tank  Tops  ■ 

5 Frames  (below  main  deck) 

Longitudinal 

Transverse 

Vertical 
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Ll«t  Ho. 

6 Bulkheads  (below  main  deck) 

Longitudinal 

Transverse 

A.  watertight  subdivisions 

B.  other 

7 Pecks  (above  main  deck) 

Level  A 
Level  B 
Level  C 
Level  D 

8 Frames  (above  main  deck) 

Longitudinal 

Transverse 

Vertical 

9 Bulkheads  (above  main  deck) 

Longitudinal 

Transverse 

A.  watertight  subdivisions 

B.  other 

10  Main  Engine 

Caslng/Block 
Blade/Plston 
Crankshaft,  shaft  rotor 
Bearings 

Intake/exhaust  valves 
Sentinel  valves 

11  Auto-regulatlbn  System 

Combustion  Control  board 
Engine  Room  console 
Bell  recorders 
Information  Recorders 
Throttle  control  equipment 
Other 

12  Steam  Cycle 

Boiler 

Tubes 

Drums 

Economlzer/alr  heaters 
Safety  valves 
Super  heater 

Water  heaters 
DC  heaters 
Crease  extractors  ' 

Relief  valves 


I 


List  No 
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12  (cont.) 

Valves  & controls 
Feed 
Stop 
Check 

Water  level  Indicators 

Pumps 

Injectors 
Air  ejectors 

Gauges 

Thermometers 

Water  Level  Indicators 

Pressure  Gauges 

Condensers 

Main 

Auxiliary 

Piping 

13  Fuel  Oil 


Pumps 

Valves 

Pipes 

Storage  Tranks 
Vents  & Strainers 
Injectors/Carburetors 
Heat  Exchangers 
Gauges  & Thermometers 
Alarms 

Remote  Shutoff  Valves 
Relief  Valves 

14  Lube  Oil 

Puiq>s 

Valves  & Controls 

Tanks 

Vents 

Strainers 

Heat  Exchangers 

Piping 

Gauges  & Thermometers 
Alarms 
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Llat  No. 

15  Cooling  System 

Pumps 

Valves  & Controls 
Heat  Exchangers 
Tanks  & Vents 
Piping 
Alarms 

Gauges  & Thermometers 

16  Air  System 

Blowers 

Forced  Draft  Fan 

Turbo-charger 

Ducts 

Gauges 

Controllers 

Burner  Air  Register 

Stacks/Exhaust  Piping 

Alarms 

17  Coupling  System 

Fluid  System 

Hydraulic  System 
Air  System 
Casing 
Bearings 
Shafting 

Pressure  Relief  Valves 

18  Mechanical  System 

Casing 

Gears 

Bull  Gear 
Sprindle 
Pinion 
Other  Gears 
Bearings 
Shafting 

19  Electrical  System 

Casing 

Air  Cooled 
Hater  Cooled 
Refrigerant  Cooled 
Motor  Generator 
Colls 
Windings 
Brushes 
Commutator 
Shafting 
Bearings 
Rotor 


List  Mo 
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19  (Cont.) 


Stator 

Armature 

Over  Current  Protection 

20  Thrust  System 

Shafting 

Line  Shaft 
Tall  Shaft 
Key 

Keyway 

Sleeves 

21  Bearings 

Thrust  Bearing 
Stern  Tube  Bearing 
Spring  Bearing 

22  Propeller 

Blades 

Fixed  Pitch 

Built  up 
Solid 

Variable  Pitch 
Pitch  Control 
Propeller  Nut 
Nozzles 

23  Mooring  & Anchoring  System 

Mooring  . 

Lines 

Winches 

Constant  Tension  Winch 

Capstans 

Rigging 

Cleats 

Bits 

Winch  Controls 

24  Anchoring 

Chaln/cable 

Anchor 

Windlass 

Hawse  Pipe/cover 

Chain  Locker 

Windlass  Control/brake 

24A  Vessel  Location  System 
RDF 

Loran  A or  C 
Omega 
Radar 
Sextant 
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List  Ho. 


15  Cooling  System 

Pumps 

Valves  & Controls 
Heat  Exchangers 
Tanks  & Vents 
Piping 
Alarms 

Gauges  & Thermometers 

16  Air  System 

Blowers 

Forced  Draft  Fan 

Turbo-char  ger 

Ducts 

Gauges 

Controllers 

Burner  Air  Register 

Stacks/Exhaust  Piping 

Alarms 

17  CouDllng  System 

Fluid  System 

Hydraulic  System 
Air  System 
Casing 
Bearings 
Shafting 

Pressure  Relief  ValV®8 

18  Mechanical  System 

Casing 

Gears 

Bull  Gear 
Sprindle 
Pinion 
Other  Gears 
Bearings 
Shafting 

19  Electrical  System 

Casing 

Air  Cooled 
Water  Cooled 
Refrigerant  Cooled 
Motor  Generator 
Colls 
Windings 
Brushes 
Commutator 
Shafting 
Bearings 
Rotor 
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List  No. 

19  (Cont.) 

Stator 

Armature 

Over  Current  Protection 

20  Thrust  System 

Shafting 

Line  Shaft 
Tall  Shaft 
Key 
Keyway 
Sleeves 

21  Bearings 

Thrust  Bearing 
Stern  Tube  Bearing 
Spring  Bearing 

22  Propeller 

Blades 

Fixed  Pitch 

Built  up 
Solid 

Variable  Pitch 
Pitch  Control 
Propeller  Nut 
Nozzles  ^ 

23  Mooring  & Anchoring  System 

Mooring  . 

Lines 

Winches 

Constant  Tension  Winch 

Capstans 

Rigging 

Cleats 

Bits 

Winch  Controls 


24  Anchoring 

Chaln/cable 

Anchor 

Windlass 

Hawse  Pipe/cover 
Chain  Locker 
Windlass  Control/brake 

24A  Vessel  Location  System 
RDF 

Loran  A or  C 
Omega 
Radar 
Sextant 
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List  No. 

24  Cont:  Compass  (Magnetic) 

Charts 

25  Movement  System 

Steering  Control 

Gyro  Repeaters 
Gyro  Compass 
Magnetic  Compass 
Iron  Mlke/Automatlc  Steering 
Rudder  Angle  Indicator 
Electrical 
Mechanical 
Alarms 

Electrical  Switches/Controllers 

Motors 

Pumps 

Cyllnder/Ram 
Ships  Wheel  • 

Trick  Wheel 

Aft  Steering  Station 

Alarms 

Valves 

Bow  Thruster 

26  Propulsion  Control 

Engine  Order  Telegraph 
Mechanical 
Electrical 
Alarms 
Bell  Pulls 
Voice  Tubes 
Bridge  Console 

Throttle  Control 
Directional  Control 
Condition  Recorder 
Bell  Recorders 
Information  Recorders 

27  Communication  Systems 

Interior  System 
Telephones 

Electric 
Sound  Powered 
Voice  Tubes 
General  Alarms 
Public  Address 
Public  Address  (Emergency) 

28  Exterior  System 

Navigation  Lights 

Flashing  Lights 

Flares 

Sockets 

Radio 


k A 
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Ll«t  No. 

28  (Cont.) 

Radar 

Sonar 

Fathometer 

Whlstles/Fog  Hom/Slren 

29  Power  Generation  System 

Generation  System 
Battery 

Electric  Generator  AC/DC 
Over  Currrent  Protection 
Reverse  Current  Relay 
Other 

Drive  System 

Steam  Turbine 
Gas  Turbine* 

Diesel  Engine 
Gasoline  Engine 

31  Emergency  Power  System 

Generation 

Battery 

Generator  AC/DC 
Safety  Devices 

32  Drive 

Diesel  Engine 
Gasoline  Engine 
Gas  Turbine  Engine 
Safety  Devices 

33  Distribution  System 

Safety  System 

Over  Current  Protection 
Fuses 

Circuit  Breakers 
Mats  & Guards 

34  Power  Feeder  System 

Main  Distribution  Panel 

Motor  Controllers 

Battery  Chargers 

Miscellaneous  Small  Motors 

Switches 

Power  Panels 

Wiring 
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List  No, 

35  Hotel  Feeder  System 

Lighting 

Electrical  Panels/Dlstrlbutlon  Boards 

Hiring 

Switches 

36  Emergency  System 

Emergency  Power  Panel 
Emergency  Lighting  Circuit 
Hiring 
Switches 

Over  Current  Protection 

37  Vessel  Abandonment 

Individual  Protection 
Life  Jackets 

How  many  required 
How  many  found  onboard 
How  many  rejected 
Ring  Bouys/Llghted  Ring  Bouys/Llne 
Hork  Vests 

38  Group  Participation 

Life  Boats 

Hull  & Fittings 
Tank  & Fittings 
Equipment  & Storage 
Life  Rafts 

Structure 
Releasing  Gear 
Equipment  & Storage 
Llfefloats  & Bouyapt  Apparatus 
Disengaging  Apparatus 

LlfeBoat  Propulsion 
Ho  tor 

Hand  Propelled 

Oars 

Sail 

Davlts/Falls/Llfeboat  wlnches/Controls 
Standing  & Running  Rigging 
Ladders  & Lifelines 
Portable  Radios 

Horkboat 
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Llat  No. 

Onboard  System 
First  Aid 

Hospital 

Hedlclnal  Supplies 
Stretcher 

Operating  Room  Explosion  Proof 

Personnel  Protection 

Fresh  Air  Breathing  Apparatus 
Self-contained  Breathing  Apparatus 
All  Purpose  Masks 
Emergency  Squad  Equipment 
Protective  Clothing 
Flame  Safety  Lamp 
Explosion  Proof  Flashlight 

Fire  Detection 
Resistors 
Detectors 

Zone  Indicator  Panels 
Alarms 

System  Control  Panel  (controls) 

System  Test  Panel 
Piping 
Valves 

Vent  Controls 
Punch  Clock 
Key  & Holders 

46  Fire  Fighting 
CO2  Storage  Bottles 
Operation  Controls 
Vent  Controls 
CO2  Alarm 

CO2  Discharge  Delay  Mechanism 
Actuation 
Valve  (Stop) 

Discharge  Nozzle 
Pipe 
Hose 
Reels 
Fire  Pump 

Emergency  Fire  Pumps 
Valves 
Hydrants 

All  Purpose  Nozzle 
Supply  Tanks 
Proportioning  System 
Foam  Monitors 

47  Portable  Systems 
Container 


39 


40 


41-45 
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List  No. 

47  (Cont . 


Hose 

Nozzle 

48  Fire  Containment 

Closures  & Structures 
Stuffing  Boxes 
Fire  Dampers  (vents) 

Valves 
Spool  Pieces 
Fire  Doors 
Fire  Door  Controls 

49  Cargo  Environment  Control  System 

Pressure  Control 

Safety/Rellef  Valves 
Pressure/Vacuum  Valves 
Open  Vent 
Flame  Screen 
Piping 

50  Safety  System 

Inerting  System 
Leak  Detection  Equipment 
Liquid  Level  Gauging 
Closed 
Open 

Restricted 

Piping 

51  Air  Conditioning  System 

Temperature  Control 
Piping 
Valves 

Control  Equipment 

Ducting 

Dampers 

Heating  Equlpment/Steam/Electrlc 
Fans 

Refrigeration  Equipment /Compressor 

Humidity  Control 
Dehumldlfler 
Ducting 

Control  Equipment 

Fans 

Dampers 

Valve 


( 


i 
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Ll»t  Mo. 

52  Containment  System 
Primary  Containment  System 

Single  Skinned  Cargo  Holds 
Single  Skinned  Liquid  Tanks 
Ullage  Openlng/Closure  Fittings 
Hatch  Coaming 
Hatch  Cover 
Hatch  Clos-lng  Controls 
Electric 
Mechanical 
Hydraulic 
Pipes /Wire 8 

53  Secondary  Containment  System 
Securing/Hold  Down  Devices 
Closures/Openings 
Barge/Container  Skin  Covering 

54  Transfer  System 
Cargo  Loading/Unloading 

Piping 
Pumps 
Valves 
Winches 
Booms 

> Cranes 

Rotary  Cranes 
Gantry  Cranes 

Rigging  (standing  & running) 
Elevators 
Conveyors 

\ Controls 

j 55  Water  Removal/Ballast  System 

. Piping 
Pumps 
Valves 
Controls 

56  Vessel  Access  System 

Personnel  Boarding  System 
Gangways 

I Pilot  Ladders 

[ Accommodation  Ladders 

Swing  Ropes 

Other 


I 
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List  No. 

57  Safety  System 

Gangway  Safety  Nets 
Rubber  Mats 

Non-skid  Deck/Ladder  Coverings 
Hand  Ralls 
Grab  Ralls 
Warning  Signs 

58  Onboard  System 

Ladders 

Vertical 

Inclined 

Portable 

Passages 

Doors 

Watertight 

Weather/Exterior 

Reefer 

Interior 

Fire 

Manholes 

Scuttles 

Working  Platform/Staglng/Boatswaln  Chair 
Floor  Plate/Grating  and  Supports 

59  Air  Conditioning  System 

Heating 

Auxiliary  Boiler 

Hot  Water  Heater 

Pipes 

Valves 

Fuel  System 

Radiators 

Fans 

Safety  Valves 
Relief  Valves 
Safety  Controls 
Pumps 
Burners 

60  Humidity 

Humidifiers 

Dehumldlfiers 

Ducting 

Fans 

Controls 

61  Cooling 

Compressors 

Pipes 
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List  No. 

61  (Cont.) 

Valves 

Hotors 

Fans 

Ducts 

Cooling  Agent 

Control  Valves  (Expansion,  Solenoids) 

Evaporator  Colls 

Receivers 

Condensers 

Controls 

62  Ventilation 

Ducts 

Dampers 

Fans 

Colls 

Remote  Securing  Devices 
Fire  Closures 
Controls 

63  Food  and  Water 

Food  Storage 

Reefer  Door  Safety  Latches 

Reefer  Boxes 

Compressors 

Receivers 

Condensers 

Evaporator  Colls 

Pipes 

Control  Valves 
Gauges 

Dry  Storage  Areas 

64  Portable  Water  Supply 

Shore  Connections 
Evaporator  (H.P.  or  L.P.) 

Air  Ejectors 

Condensers 

Control  Valves 

Pipes 

Valves 

PuBps 

Relief  Valves 
Test  Equipment 
Gauges 
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SYSTEM  SAFETY  ANALYSIS  RESULTS 
IMPLEMENTATION  PLAN 

In  section  3.6  of  the  main  body  of  this  report,  the  safety  analysis 
task's  potential  Impacts  on  VIIS  were  described.  Three  requirements  result- 
ing from  these  Impacts  were  Identified: 

• Ensure  that  VIIS  Is  designed  to  have  the  capability  for  entry, 
updating,  and  retrieval  of  an  SCP  for  each  vessel  In  the 
system  for  which  an  SCP  record  Is  deemed  appropriate. 

• Ensure  that  VIIS  can  accumulate  failure  data  from  the  field 
and  search  It  In  a manner  useful  for  safety  analysis. 

e If  judged  appropriate  by  the  Coast  Guard,  expand  the  plan 
for  VIIS'  analytical  capabilities  to  Include  programs  cap- 
able of  solving  problems  Involving  symbolic  logic  diagrams 
representing  Boolean  algebra  equations. 

The  Implementation  of  these  requirements  has  already  been  provided 
for  In  the  basic  VIIS  Implementation  Plan.*  The  first  one,  having  to  do 
with  the  SCP,  simply  presents  the  need  to  provide  another  user  product  In 
the  system.  Implementation  Task  I.l  "Finalize  Design  Products"  has  as  Its 
specific  objective  the  design  and  Incorporation  of  any  new  products  thought 
necessary  for  VIIS  at  the  outset  of  the  Implementation  term.  This  task  Is 
scheduled  to  run  during  the  first  four  months  of  that  term. 

There  Is  some  reason  to  doubt  that  It  will  be  necessary  to  build 
the  SCP  capability  Into  VIIS  that  early  In  Its  life.  The  Coast  Guard's 
employment  of  system  safety  techniques  In  Its  vessel  safety  program  will  re- 
quire some  years  yet  before  It  matures  to  the  point  that  vessel  SCP's  are 
coming  Into  the  Information  system.  The  fact  Is  that  VIIS  has  been  designed 
with  the  capability  In  Its  own  software  to  generate  new  user  products  and 
screen  formats  at  any  time.  Therefore,  the  most  reasonable  implementation 
plan  for  the  first  Item  is  to  re-examine  the  need  for  the  new  product 
during  Task  I.l  and  proceed  accordingly. 


* Citation  of  current  issue  of  the  "Implementation  Plan". 


laplementlng  the  second  Item  is  more  urgent.  However,  It  has  in 
fact  already  been  implemented  in  the  system  in  the  form  of  the  "Vessel  File 
Damages/Defects  Log”  and  the  plan  to  include  a general-purpose  analysis 
capability  to  analyze  the  system's  data  base  directly  to  seek  and  develop 
correlations  among  the  data  elements,  and  to  conduct  all  standard  statisti- 
cal analyses. 

The  third  item  would  best  be  Implemented  by  adding  one  of  the 
standard  programs  that  have  been  developed  for  solving  fault  trees.  It 
is  not  expected  that  this  will  become  an  urgent  matter  in  the  near  future 
since  it  does  not  serve  an  objective  arising  from  Inspection  function 
information  needs. 
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APPENDIX  D 

LOGIC  DIAGRAM  CONSTRUCTION  AND  SYMBOLOGY* 

A logic  diagram  analysis  of  an  accident  begins  with  the  Identifica- 
tion and  definition  of  the  accident  In  terms  precise  enough  to  support  ana- 
lytical treatment.  The  accident  Is  then  established  as  the  "top-level  un- 
deslred  event". 

The  logic  diagram  Is  constructed  to  show  symbolically  the  cause- 
effect  relationships  between  the  top-level  undeslred  event  and  the  contribut- 
ing causes  of  Its  occurrence.  It  Is  a deductive  analytical  means  to  Identify 
all  failure  modes  contributing  to  the  potential  occurrence  of  the  event.  The 
logic  diagram  differs  from  the  other  main  safety  analysis  techniques,  the  PHA 
and  the  HMEA,  In  that  It  displays  all  necessary  failure  modes  and  specific 
conditions  which  cause  the  top  event,  while  the  others  consider  only  single 
mode  relationships  to  the  top  event.  ^ 

Logic  diagrams  can  be  developed  In  either  qualitative  or  quantita- 
tive form.  Every  analysis  using  them  begins  as  a qualitative  analysis:  most 
of  the  value  of  doing  this  kind  of  analysis  Is  realized  In  this  form.  Hazards 
which  might  otherwise  be  missed  are  systematically  Identified.  The  quantita- 
tive analysis  aimed  at  numerical  evaluation  of  "how  big  is  the  problem"  can 
be  expensive  In  relation  to  the  value  of  the  Information  obtained  and  Is  often 
impractical  to  perform.  The  answers  obtained  are  never  better  than  the  num- 
bers and  assumptions  used  In  the  analysis.  If  a specific  tolerance  level  or 
limit  Is  specified  for  the  system,  then  a quantitative  solution  Is  necessary 
and  the  probability  of  the  top  undeslred  event  and  Its  individual  contributing 
events  are  calculated.  The  quantitative  logic  tree  provides  the  foundation 
for  applying  safety  engineering  effort  to  control  or  eliminate  those  con- 
tributing failure  paths  having  the  highest  probability  of  occurrence.  Such 
paths  are  generally  described  as  "critical"  or  "dominant"  paths  and  they 
indicate  the  single  failure  or  the  combination  of  primary  failure  modes 
(independent  failure  modes)  which  are  most  likely  to  actuate  the  top  event. 

* The  description  presented  here  Is  based  on  the  treatment  of  the  topic  In. 
"Weapon  System  Safety  Guidelines  Handbook:  System  Safety  Engineering 
Principles,  Part  III",  NAVORD  OD  44942,  Section  7.11,  Naval  Ordnance  Sys- 
tems Command,  May,  1973. 
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While  numerical  techniques  ere  useful  for  relative  comparisons, 
their  use  in  determining  absolute  values  is  generally  meaningless.  The 
implication  that  valid  and  reliable  numbers  are  available  ignores  the  fact 
that  unpredictable  interactions  and  the  human  element  are  Invariably  some* 
where  in  the  system  being  analyzed. 

The  logic  diagram  has  become  known  as  a "fault  tree"  in  system 
safety  usage.  It  is  really  a symbolic  event  logic  diagram  or  a complex  log- 
ical statement  because  its  construction  is  based  on  s}nnbolic  logic  principles. 
The  top  undesired  event  is  represented  by  a proposition,  and  all  other  sub- 
statements describing  related  events  are  connected  through  logical  constants 
or  connectives.  All  elements  are  governed  by  the  basic  laws  and  definitions 
of  symbolic  logic  and  set  theory.  Figure  0-1  gives  the  symbology  usually 
employed  in  constructing  the  diagram  and  the  meaning  of  each. 


Logic  Diagram  Guidelines 


The  steps  for  performing  the  logic  diagram  analysis  are  listed  in 
the  following  tasks: 

(1)  Define  the  top  undeslred  event  boundary 

(2)  Collect  input  data 

(3)  Construct  the  diagram 

(4)  Evaluate  the  diagram 

(a)  Qualitatively 

(b)  Quantitatively 

(5)  Summarize  and  report  results 

(a)  Undeslred  top  event  within  the  risk  limit 

(b)  Corrective  action 

1.  Verify  results  of  corrective  action 

2.  Update  diagram  structure 

(c)  As  a rule,  any  fault  in  which  an  AND  gate 
does  not  occur  above  the  foui:;th  (4th)  level 
indicates  that  unwarranted  hazards  may 
exist  in  the  system. 


Tilt*  (nboi  rt'prcMntt  the  top  undedrcd  evont  or  any  Intanae^lata  avant. 
Emptcatad  In  (ors  of  a propoaltlon.  acatwaenc  act.  or  outcoaa  ot  an 
ebaervaclon. 


A baalc  event  requiring  no  further  devatopoKnt  for  the  purpoae  of 
analyaiog  the  particular  lugle  diagrao.  Defined  aa  an  “Indapendent 
output"  event  or  aa  a ''prloary"  event. 


Aa  event  that  euat  occur,  or  la  expected  to  occur,  aa  a noraal  operating 
coadltlon  of  the  ayatea.  It  la  not  a failure  or  fault  avent. 


An  avent  arbitrarily  treated  aa  baalc  In  a logic  diagran  ao  Chat  It  la 
not  devaloped  further. 


Aa  event  chat  la  a conditional  Input  to  a condition  gate  (aee  below). 
Daflnaa  a particular  atace  of  the  ayaten  In  which  an  Input  event  nay 
occur.  It  nay  be  a nonaal  condition  or  a failure. 


Aa  AHO  gate  deacribca  the  logic  operation  whereby  Che  coexlatence  of  all 
input  eventa  la  required  to  pcodueo  the  output  event. 


Aa  OE  gate  deacrlbea  the  logic  oporacton  whereby  the  output  event  will 
exlat  If  one  and/or  nore  of  the  Input  eventa  exlaca. 


A "ganeral  Inhibit"  gate  (or  "condition"  gate)  deacrlbea  a cauaal 
relatlonahlp  between  one  event  and  another.  The  Input  event  directly 
producee  the  output  event  If  the  indicated  condition  la  aatlafled.  Hay 
bo  traatod  oa  an  AMO  gata  In  logical  analyala. 


A "ontrlx"  gate  daacrlbea  a alcuatlon  when  an  output  event  la  produced 
for  eortoln  eonblnatlona  of  eventa  at  the  Inputa.  Input  conbinatlona 
am  Indlcatad  by  a (1)  In  the  diagonal  aquarea  of  cha  awtrlx  and  (0)  for 
all  other  aquarea.  Oily  conbinatlona  having  the  value  (1)  are  eonaldered 
In  the  avant  conbinatlona. 


A tranafer  aynbol  la  uaad  to  Indicate  continuity  between  two  parta  of  a 
logic  diagran.  An  alphanunerlc  aynbol  (Ai)  Indlcatea  the  part  of  tho 
dlagron  to  which,  or  fron  which,  tho  ttanafor  lo  node. 


LOGIC  DIAGRAM  ELEMENTS  AND  THEIR  MEANINGS 
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Logic  Diagram  Symbology 

As  mentioned  previously,  the  logic  diagram  is  a symbolic  event 
diagram  or  a composite  statement  made  by  connecting  substatements,  using 
applicable  logical  constants  to  imply  cause-effect  relationships.  It  relies 
heavily  on  symbology  to  assure  consistency  throughout  the  diagram,  to  aid  in 
identification  of  and  reference  to  substatements,  propositions,  and  logical 
constants,  and  to  simplify  the  flow  of  thought  projected  by  the  diagram. 

The  terms,  "composite  statement",  "substatement",  and  "proposition", 
refer  to  the  statements  used  in  describing  the  top  or  other  events  in  a logic 
diagram.  The  term  "logical  constants"  refers  to  gates.  The  names,  "events" 
and  "gates",  are  terms  more  commonly  used  in  system  safety  and  are  retained 
here.  The  analyst  should  realize,  however,  that  "event"  and  "gate"  have  the 
same  properties  and  obey  the  same  laws  as  "proposition"  and  "logical  constant" 
defined  in  symbolic  logic.  Furthermore,  "event"  and  "gate"  can  also  be 
thought  of  as  "set"  and  "operator",  respectively,  since  they  have  the  same 
properties  and  obey  the  same  laws  as  in  set  theory. 

The  term  "event"  denotes  a dynamic  change  of  state  which  takes  place 
in  a system  element;  the  term  "element"  includes  hardware,  environment,  soft- 
ware, personnel,  activity,  and/or  operation.  For  logic  diagrams,  the  event 
occurs  in  either  of  two  states:  true  or  false.  When  an  event  is  in  a true 
state,  it  implies  the  event  has  occurred,  is  occurring,  or  is  "on"  for  a 
significant  duration.  Similarly,  when  an  event  is  in  a false  state,  it  has 
not  occurred  or  is  "off".  Frequently,  the  states  of  an  event  are  also  repre- 
sented by  either  "1"  and  "0"  or  "on"  and  "off",  for  true  and  false,  respec- 
tively. Thus,  every  event  has  a binary  nature. 

Each  event  also  has  two  types:  failure  event  and  normal  event.  If 
the  change  of  state  is  such  that  the  Intended  function  of  the  particular 
element  is  not  achieved,  or  an  unintended  function  is  achieved,  the  event  is 
an  abnormal  function  or  FAILURE'  EVENT.  If  the  change  of  state  is  such  that 
the  intended  function  occurs  as  planned  (or  designed),  the  event  is  then  a 
normal  system  function  or  NORMAL  EVENT. 


Failure  events  can  be  divided  Into  two  categories:  basic  events  and 
gate  events.  The  basic  event  Is  the  dynamic  change  of  state  of  a single  sys- 
tem element  from  an  unf ailed  state  to  a failed  state.  Basic  events  are  re- 
lated to  specific  failure  rates  and  duration  times.  These  events  are  used 
only  as  Inputs  to  a logic  gate  (never  as  outputs)  and  are,  therefore.  Inde- 
pendent events.  A basic  event  Is  depicted  on  the  logic  diagram  by  a circle. 

The  gate  event  Is  the  resultant  output  event  of  a logic  gate,  de- 
pendent upon  the  type  of  logic  gate.  Therefore,  the  gate  event  Is  a dependent 
event.  It  must  be  noted  that  this  event  Is  not  the  logic  gate  Itself,  but 
the  output  of  the  logic  gate.  The  gate  event  Is  related  to  failure  rate  and 
duration  time,  which.  In  turn,  depend  upon  the  input  events  and  the  type  of 
logic  gate.  As  development  progresses,  gate  events  on  one  level  become  inputs 
to  gate  events  on  the  next  higher  level.  This  gate  event  Is  also  called  a 
CCMiAND  EVENT. 

The  normal  event  is  the  expected  or  desired  change  of  state  of  a 
system  element.  A rate  of  occurrence  and  an  event  duration  time  are  asso- 
ciated with  this  event.  The  normal  event  Is  used  only  as  an  Input  to  a logic 
gate  (never  as  an  output)  and  Is,  therefore,  an  Independent  event. 

A gate  denotes  a relationship  of  the  state  of  one  event  to  the  state 
of  one  or  more  other  events.  The  basic  gates  used  in  a logic  diagram  are  "OR" 
and  "AND".  If  OR  and  AND  are  considered  as  basic,  then  all  other  gates  can 
be  resolved  Into  these  two. 

A summary  of  the  most  common  S3rmbols  used  by  logic  diagram  analysts 
Is  shown  in  Figure  D-1.  The  various  event  and  gate  symbols  are  in  the  first 
column,  the  use  Is  explained  in  the  second. 

Logic  Diagram  Structuring 

Basically  a logic  diagram  is  built  by  constructing  one  or  more 
segments,  each  consisting  of  an  output  event,  preceded  by  a logical  Implica- 
tion represented  by  a combination  of  the  symbols  shown  In  Figure  D-l.  These 
symbols  depict  a cause-effect  relation  to  the  output  event  as  shown  In  Figure 
D-2. 
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CAUSE 


FIGURE  D-2.  ELEMENTARY  CAUSE-EFFECT  RELATKWSHIP 

If  output  event  (A)  Is  the  top  event  under  study,  and  Input  event 
B Is  the  type  that  can  be  Identified  by  a circle,  a house,  or  a diamond,  then 
the  tree  Is  completed  and  has  one  segment  consisting  of  three  elements  (two 
events  and  a logic  symbol).  If  the  Input  event  Is  a composite  of  events  B, 

C,  D,  E,  etc.  where  each  input  event  Is  Identified  by  a circle,  a house,  or 
a diamond,  the  tree  Is  completed  and  has  one  segment,  made  up  of  two  elements 
more  than  the  number  of  composite  Input  events. 

If  one  or  more  of  the  Input  events  cannot  be  Identified  with  a 
circle,  house,  or  diamond,  and  is  identified  by  a rectangle,  then  any  such 
event  becomes  the  output  event  (gate  event  or  command  event)  of  a new  segment 
which  must  be  developed.  The  diagram  continues  In  this  manner  until  all 
originating  Input  events  are  Identified  by  circles,  diamonds,  or  houses. 

To  clarify  the  above  discussion,  assume  that  top  event  A of  Figure 
D-3  is  to  be  analyzed.  Upon  aiialyzing  event  A,  it  is  determined  there  are 
four  input  events,  All,  A12,  A13,  and  A14,  and  any  one  or  any  combination  of 
all  (OR  gate)  can  cause  event  A to  occur.  Further  examining  these  events,  it 
Is  found  that  event  All  Is  a primary  failure  siode  of  a component.  Identified 
by  a circle  (refer  to  Figure  D-1)  and  event  Al2  is  an  external  energy  source 
(not  Intended  by  the  design)  which  could  cause  A to  occur.  This  is  a secondary 
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failure  mode  and  can  be  Identified  by  a diamond.  Events  A13  and  A14  are 
failure  modes  which  can  be  caused  by  other  events  from  a subsystem  or  com- 
ponents downstream,  and  are  gate  or  command  events  which  are  identified  by 
rectangles.  Thus,  the  first  segment  (sometimes  called  first  level)  of  a 
logic  diagram  is  completed  as  shown  In  that  part  of  Figure  0-3  which  lies 
above  the  heavy  line. 


FIGURE  D-3.  fault-tree  SECMENTS 

Since  A13  and  A14  affect  state  of  the  system,  they  will  require 
further  analysis.  If  because  of  space  or  Information  limitations  It  is 
decided  that  event  A14  will  be  transferred  to  another  page  or  analyzed  at  a 
later  date,  the  transfer  gate  Is  used,  as  Indicated.  Event  A13  is  analyzed 
considering  what  other  event  or  events  are  immediately  necessary  and  suf- 
ficient to  create  event  A13.  To  meet  the  Immediately  necessary  and  sufficient 
requirements,  two  events,  Bll  .and  Bl2,  must  occur  simultaneously  to  produce 
event  A13.  In  this  case,  an  AND  gate  connecting  Bll  and  B12  is  required. 

Fur the mere,  event  Bll  is  a normally  expected  function,  not  a failure,  and 
should  be  Identified  by  a house.  B12  is  identified  as  a gate  event  and 
needs  to  be  further  analyzed.  From  this  Information,  a second  segment  con- 
sisting of  A13  as  the  output  and  Bll  and  B12  as  the  composite  inputs  defined 
by  an  "AND"  gate  is  shown  by  the  section  of  Figure  D-3  lying  below  the  heavy 
line.  Now  Bl2  becomes  the  command  or  top  event.  Following  the  same  reason- 
ing as  outlined,  another  segment  of  the  tree  is  constructed.  Repeat  this 
procedure  until  no  further  command  events  can  be  identified.  When  all  input 
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•vents  ars  indapsndcnt  tvants  Idantifiad  by  a eirela,  diamond,  or  housa,  tha 
logic  diagram  analysis  is  considarad  complata. 


